Threat Research

Dark Web Profile: Cactus Ransomware – SOCRadar® Cyber Intelligence Inc.

Securonix

SOCRadar profiles the Cactus Ransomware Group, detailing its self-encrypting ransomware, evasion techniques, and double-extortion tactics used against organizations worldwide. The piece highlights VPN exploitation, a multi-layer infection chain, and a Tor-based data-leak ecosystem with notable victims like Hurley Group and RICOR Global Limited. #CactusRansomware #SOCRadar #HurleyGroup #RICORGlobalLimited

Keypoints

  • The Cactus Ransomware Group emerged around March 2023 and targets VPN vulnerabilities to gain initial access.
  • It uses evasion techniques and a dynamic encryption approach to hinder detection and analysis.
  • The ransomware employs a complex infection chain with obfuscation, UPX packing, and multiple encryption tools (OpenSSL, AES-OCB, ChaCha20_Poly1305).
    • Double extortion is used via a data-leak portal on the dark web/TOR, threatening public data exposure.
    • The group has broad targets across Manufacturing and Professional Services, with the United States accounting for a majority of victims.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – ‘The initial access is indicated by the exploitation of VPN vulnerabilities.’
  • [T1059] Command and Scripting Interpreter – ‘a batch script to execute the ransomware sample using 7-Zip’
  • [T1047] Windows Management Instrumentation – ‘Windows Management Instrumentation’ used as part of execution/persistence
  • [T1129] Shared Modules – ‘utilizing multiple tools and techniques’ in the infection chain
  • [T1072] Software Deployment Tools – ‘managing operations with SuperOps RMM’
  • [T1574.002] DLL Side-Loading – ‘DLL Side-Loading’ to load components
  • [T1053] Scheduled Task/Job – ‘creating a scheduled task named “Updates Check Task”’
  • [T1053.005] Scheduled Task – ‘runs every 5 minutes’
  • [T1136] Create Account – ‘establishing persistence via account creation’
  • [T1055] Process Injection – ‘Process Injection’ listed under Privilege Escalation/Defense Evasion
  • [T1027] Obfuscated Files or Information – ‘obfuscation to conceal its activities’
  • [T1574.002] DLL Side-Loading – ‘DLL Side-Loading’
  • [T1562] Impair Defenses – ‘Impair Defenses’
  • [T1562.001] Disable or Modify Tools – ‘Disable or Modify Tools’
  • [T1027] Obfuscated Files or Information – ‘Obfuscated Files or Information’
  • [T1027.002] Software Packing – ‘UPX packing’
  • [T1056] Input Capture – ‘Credential Access: Input Capture’
  • [T1555] Credentials from Password Stores – ‘Credentials from Password Stores’
  • [T1555.003] Credentials from Web Browsers – ‘Credentials from Web Browsers’
  • [T1003] OS Credential Dumping – ‘OS Credential Dumping’
  • [T1082] System Information Discovery – ‘System Information Discovery’
  • [T1518.001] Security Software Discovery – ‘Security Software Discovery’
  • [T1018] Remote System Discovery – ‘Remote System Discovery’
  • [T1057] Process Discovery – ‘Process Discovery’
  • [T1083] File and Directory Discovery – ‘File and Directory Discovery’
  • [T1497] Virtualization/Sandbox Evasion – ‘Virtualization/Sandbox Evasion’
  • [T1049] System Network Connections Discovery – ‘System Network Connections Discovery’
  • [T1087] Account Discovery – ‘Account Discovery’
  • [T1021] Remote Services – ‘Remote Services’
  • [T1021.001] Remote Services: Remote Desktop Protocol – ‘Remote Desktop Protocol’
  • [T1570] Lateral Tool Transfer – ‘Lateral Tool Transfer’
  • [T1119] Automated Collection – ‘Automated Collection’
  • [T1071] Application Layer Protocol – ‘Application Layer Protocol’
  • [T1095] Non-Application Layer Protocol – ‘Non-Application Layer Protocol’
  • [T1571] Non-Standard Port – ‘Non-Standard Port’
  • [T1573] Encrypted Channel – ‘Encrypted Channel’
  • [T1219] Remote Access Software – ‘Remote Access Software’
  • [T1090] Proxy – ‘Proxy’
  • [T1567] Exfiltration – ‘Exfiltration Over Web Service’
  • [T1567.002] Exfiltration to Cloud Storage – ‘Exfiltration to Cloud Storage’
  • [T1486] Data Encrypted for Impact – ‘Data Encrypted for Impact’

Indicators of Compromise

  • [IP] 163.123.142[.]213 – observed as part of attacker infrastructure
  • [Hash] b9ef2e948a9b49a6930fc190b22cbdb3571579d37a4de56564e41a2ef736767b – sample SHA256
  • [Hash] 5b70972c72bf8af098350f8a53ec830ddbd5c2c7809c71649c93f32a8a3f1371 – sample SHA256
  • [Hash] 78c16de9fc07f1d0375a093903f86583a4e32037a7da8aa2f90ecb15c4862c17 – sample SHA256
  • [Hash] 248795453ceb95e39db633285651f7204813ea3a – sample SHA256
  • [Hash] 6715b888a280d54de9a8482e40444087fd4d5fe8 – sample SHA256
  • [Hash] 78aea93137be5f10e9281dd578a3ba73 – sample SHA256
  • [File name] cAcTuS.readme.txt – Ransom note associated with the attack

Read more: https://socradar.io/dark-web-profile-cactus-ransomware/