Prickly Cactus (Cactus) ransomware gains access by exploiting vulnerabilities in externally facing VPNs and uses SSH for C2, deploying double extortion with encryption and data exfiltration. AttackIQโs emulation template models Cactus-like TTPs to help security teams test and improve detection and response capabilities. #CactusRansomware #PricklyCactus #Trellix #ShadowStackRE #SecurityScorecard
Keypoints
- Cactus typically gains initial access by exploiting vulnerabilities in publicly facing VPNs and establishes SSH as the C2 channel.
- It uses double extortion, encrypting data and exfiltrating it to pressure victims to pay.
- AttackIQ released a dedicated emulation template to assess security controls against Cactus-like behaviors and validate detection/prevention pipelines.
- The emulation covers early actions (persistence, account creation, and SSH usage) such as creating a new local admin account and using scheduled tasks for persistence.
- Payload staging and delivery rely on RunOnce registry Run Keys, encoded PowerShell, and Ingress Tool Transfer to fetch/load components (e.g., f2.bat).
- The ransomware deployment sequence includes data encryption, shadow copy deletion, and system discovery (process, disk, and file enumeration).
- The article maps multiple MITRE techniques (e.g., T1105, T1053.005, T1486, T1547.001) and provides detection/mitigation guidance for defenders.
MITRE Techniques
- [T1021.004] SSH โ Brief description of how it was used. โThis scenario will initiate an SSH connection to an external AttackIQ-hosted server to exercise restrictions in outbound traffic.โ
- [T1053.005] Scheduled Task โ Brief description of how it was used. โThis scenario acquires persistence through the creation of a new scheduled task using the schtasks utility.โ
- [T1136.001] Create Account: Local Account โ Brief description of how it was used. โThis scenario creates a new account with the name AdmInBac using the net user command.โ
- [T1098] Account Manipulation โ Brief description of how it was used. โThis scenario adds a local user to a local group using the net localgroup command.โ
- [T1105] Ingress Tool Transfer โ Brief description of how it was used. โThis scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.โ
- [T1547.001] Run Keys/Startup Folder โ Brief description of how it was used. โThis scenario sets the HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce registry key that Windows uses to identify what applications should be run at system startup.โ
- [T1059.001] PowerShell โ Brief description of how it was used. โThis scenario encodes a user-defined PowerShell script into base64 and then executes it using PowerShellโs -encodedCommand parameter.โ
- [T1490] Inhibit System Recovery โ Brief description of how it was used. โThis scenario executes the vssadmin.exe utility to delete a recent Volume Shadow Copy created by the assessment template.โ
- [T1486] Data Encrypted for Impact โ Brief description of how it was used. โThis scenario performs the file encryption routines used by common ransomware families.โ
Indicators of Compromise
- [File] f2.bat, vssadmin.exe โ Stage payloads and utility usage during deployment. โ f2.bat, vssadmin.exe
- [Registry] RunOnce key HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce โ Used to run persistence items at startup. โ HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce
- [Process] powershell.exe, cmd.exe โ PowerShell and CMD usage during execution. โ powershell.exe, cmd.exe
- [Event] Event ID 4624 โ Logs of user logons that provide onboarding context. โ Event ID 4624
- [Account] AdmInBac โ Local user created for persistence. โ AdmInBac
Read more: https://www.attackiq.com/2024/07/25/emulating-prickly-cactus/