Keypoints
- CACTUS ransomware appends extensions such as “.cts1” and “.cts2” (observed also as “.cts7”) and leaves a ransom note named “cAcTuS.readme.txt”.
- Initial access was achieved via exploited Qlik vulnerabilities (CVE-2023-41266, CVE-2023-41265, CVE-2023-48365) and through compromised VPN services.
- Attackers downloaded a masqueraded payload (“putty.zip” containing PuTTY Link) over HTTP using a PowerShell user agent and executed it as an executable.
- Post-compromise activity included SMB/RDP/LDAP scanning, lateral movement, RDP sessions to an internal DNS server, and brute-force Kerberos authentication attempts for the account “service_qlik”.
- Beaconing to the domain zohoservice[.]net (45.61.147.176) on unusual ports, and over 1,000 connections, indicated C2 activity leading up to ransomware deployment.
- Darktrace DETECT models flagged masqueraded downloads, anomalous PowerShell usage, suspicious SMB scanning, and ransom-note SMB writes; RESPOND could have blocked progression if set to autonomous mode.
- Operators attempted to hide evidence by deleting encrypted files after deployment, consistent with defense-evasion behaviors.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Exploited Qlik vulnerabilities to gain access (‘exploiting the Qlik vulnerabilities on one of the customer’s critical servers’).
- [T1071.001] Web Protocols (Command and Control) – C2 beaconing to an external host over HTTP/TCP (‘server device making beaconing connections… to the endpoint “zohoservice[.]net” (IP address: 45.61.147.176) over the course of three days’).
- [T1059.001] PowerShell – Use of PowerShell to download and execute a payload (‘downloading the file “putty.zip” over a HTTP connection using a PowerShell user agent’).
- [T1036] Masquerading – Payload presented as a .zip but was an executable (‘labelled as a .zip file… identified this as a masqueraded PuttyLink executable file’).
- [T1046] Network Service Discovery – Scanning internal SMB, RDP and LDAP services to identify reachable hosts (‘engaging in unusual network scanning activity over the SMB, RDP and LDAP protocols’).
- [T1021.001] Remote Services: RDP – Lateral movement using RDP sessions to internal servers (‘initiating multiple sessions over the RDP protocol to another device… an internal DNS server’).
- [T1110] Brute Force – Credential brute-force attempts against Kerberos for the “service_qlik” account (‘over 20,000 failed Kerberos authentication attempts for the username “service_qlik”’).
- [T1486] Data Encrypted for Impact – Encryption of files with CACTUS extensions and dropping of ransom notes (‘encrypting files within the customer’s environment with the extensions “.cts1” and “.cts7”’ and ‘writing ransom notes with the file name “cAcTuS.readme.txt”’).
- [T1070.004] File Deletion – Attempts to remove evidence by deleting encrypted files (‘attempting to remove evidence of this activity by deleting the encrypted files’).
Indicators of Compromise
- [Domain/IP] C2 hosting – zohoservice[.]net (45.61.147.176) hosting malicious payloads and observed beaconing.
- [Filename] Initial payload – putty.zip (masqueraded .exe / PuTTY Link payload) observed downloaded via HTTP.
- [Filename] Ransom note – cAcTuS.readme.txt written to multiple internal SMB shares.
- [File extension] Encrypted file suffixes – .cts1, .cts7 appended to encrypted files.
- [User agent] Execution context – PowerShell user agent string (e.g., “Mozilla/5.0 … WindowsPowerShell/5.1.17763.2183”) used during download.
- [Credential/Account] Account targeted – “service_qlik” observed in brute-force Kerberos authentication attempts.
Darktrace documented the technical kill chain of a CACTUS ransomware intrusion that began with either exploitation of Qlik Sense vulnerabilities or abused VPN access to achieve initial access. Attackers delivered a masqueraded payload—downloaded as “putty.zip” over HTTP using a PowerShell user agent—which was actually a PuTTY Link executable; this triggered multiple DETECT models for anomalous PowerShell use and masqueraded file types. The compromised server beaconed repeatedly to the external host zohoservice[.]net (45.61.147.176), indicating C2 communications.
After execution, the intruders performed internal discovery and lateral movement by scanning SMB, RDP and LDAP, establishing RDP sessions to an internal DNS server, and attempting brute-force Kerberos logins for the “service_qlik” account (over 20,000 failures observed). These activities supported credential access and movement across the network and resembled previously observed Qlik-exploitation chains involving Plink for tunneling.
Ultimately the attackers deployed CACTUS ransomware components that encrypted files (appending .cts1/.cts7), wrote the ransom note cAcTuS.readme.txt to SMB shares, and later attempted to delete encrypted files to remove evidence. Darktrace’s anomaly-based detections flagged the beaconing, masqueraded download, abnormal PowerShell usage, suspicious SMB writes, and the large-scale Kerberos failures; had RESPOND been active in autonomous mode, these detections could have been used to contain the attack earlier.