The ransomware ecosystem has rapidly changed over the last few years, as threat actors have transitioned to more stealth-based initial access methods, evasion capabilities, and cloud-enabled data exfiltration mechanisms. Within that ecosystem, Cactus has attained a level of technical sophistication and operational persistence that rivals any ransomware scheme currently in operation today. The ransomware scheme has operated as of 2023, and it has rapidly increased its level of impact, though not without vulnerabilities, using VPN exploitation, covert tunneling techniques, and sophisticated encryption workflows against large organizations throughout the United States, the United Kingdom, and parts of Europe.
Introduction: A New Generation of Ransomware Threat Actor
Cactus is a new, high-mobility ransomware actor that fuses traditional double extortion with innovative evasion technology. Unlike most of its contemporaries in the ransomware space, Cactus shows a substantive understanding of operational enterprise network architecture and has the ability to weaponize vulnerabilities associated with VPNs at scale.
Cactus execution represents a significant trend: ransomware actors are no longer relying on simply phishing or brute-force entry. Rather, they are taking advantage of weaknesses in remote access infrastructures, like many organizations still have challenges securing. This targeting allowed Cactus to victimize more than 100 victims before the early 2025 period.
Identity & Motivation
The Cactus ransomware actor is financially motivated and ranges from a professionalized criminal enterprise to an enterprise that is arguably driven toward operational disruption and extortion. Several cybersecurity vendors track the Cactus ransomware actor using multiple alternative designations including GOLD VILLAGE, TA2101, Storm-0216, DEV-0216, UNC2198 TWISTED SPIDER, and Maze Team; the names have all been associated with quite advanced extortion campaigns, in some circumstances with ties or experience even in the now historic Maze ransomware.
The Cactus ransomware group focused on: – Large scale extortion using encryption and data theft – Operational disruption to increase the ransom pressure – Monetizing valid and sensitive credential and PII data
This connection to actors historically known for readiness to inflict damage suggests that there is a legacy operational linkage and/or access to experienced intrusion operatives and aspiration.
TTPs: How Cactus Infiltrates and Compromises Networks
A combination of stealth, technical sophistication, and tool variety set Cactus apart. The techniques they employ indicate they are aware of their defenders’ blind spots.
Initial Access: Exploiting VPN Weaknesses
Cactus is most known for exploiting VPN appliance vulnerabilities, especially those running unpatched, out-of-date firmware.
These include:
– exploitation of remote access (Zero‑days and N-days affecting VPN appliances)
– harvesting credentials from an exposed interface
– password spraying and brute-force attempts on internet-facing systems
This is how Cactus is able to circumvent email security layers and gain access directly to the corporate environment.
Persistence: Maintaining Long-Term Footholds
The persistence Cactus implements is not as obvious, since it involves a registry entry and the use of ntuser.dat, where AES keys are passed and stored. Though using the registry in this manner is atypical, it gives investigators a more difficult time reconstructing a forensic timeline and limits detection by traditional SIEM applications.
Other persistence methods may be:
– scheduled tasks modified or injected after initial compromise
– use of remote management tools disguised to look like legitimate software
– abuse of Windows services and registry entries.
C2: Stealthy and Redundant Communications
For lateral movement and real stealthy connections, Cactus relies on Chisel primarily, a tunneling tool that offers encrypted connections over standard firewall rules.
C2 architecture:
– HTTPS encrypted communication channels
– Proxying compromised VPN IPs – Short commands to minimize noise
Malware & Tools: A Streamlined Arsenal
Cactus uses a sound and efficiently managed, though small, toolbelt designed for stealth and efficiency:
– Custom Cactus ransomware payload with encrypted settings
– Rclone to exfiltrate sensitive data to cloud storage services
– Chisel to tunnel, pivot, and execute lateral movement
– Living-off-the-land binaries (LOLBins), notably PowerShell, PsExec, and WMI
Techniques: Precision and Disruption
The Cactus group consistently employs:
– Double extortion (encrypt + steal)
– Staging encrypted payloads to avoid detection
– Privilege escalation on Windows hosts
– Disruption of backups before deploying ransomware.
This approach maximizes the group’s success and severity of the incident.
Notable Operations: A Timeline of Expansion
2023 – Initial Emergence
Cactus is first observed abusing vulnerabilities in VPN appliances. Early attacks impacted smaller organizations but demonstrated a surprisingly sophisticated technical footing.
2024 – Large-Scale Enterprise Intrusions
Throughout 2024, Cactus gained traction within corporate networks, primarily targeting mid-sized and large enterprises. The group also made improvements to their use of Rclone for exfiltration and Chisel for stealthy movement.
2025 – Over 100 Confirmed Victims and Growing
By early 2025, Cactus had bagged over 100 publicly confirmed victims, likely a fraction of their actual victim pool that was never disclosed. The group’s expanding infrastructure, increasing sophistication of payload encryption, and continuing focus on VPN-related vulnerabilities indicated clear evidence of organizational growth.
Recent Developments & Evolution
Cactus continues to grow through its campaigns. Some key observations from 2025 are:
– Enhanced automation capabilities for vulnerability scanning and exploitation
– More intricate workflows developed to pass AES encryption keys
– Expanded geographic targeting (especially Western and Central Europe)
– A much more aggressive approach to disrupting virtualized environments
– Greater use of cloud functionalities for staging and persistence While all of these changes support the new expansion for the group, it does suggest that the group is putting major investment into scaling its operations.
Conclusion: Strategic Impact & Defensive Recommendations
Cactus demonstrates the new trend of high-impact ransomware actors slim, stealth-oriented, and hyper-focused for exploiting remote access vulnerabilities. The ability to compromise large organizations through VPN vulnerabilities has a very public implications of thousands of organizationally emulated weaknesses in the life of an enterprise, at scale.
Defensive Takeaways
Defensive Recommendations Organizational exposure to the Cactus group should be substantially diminished by investing in:
– Continuous patching of all VPN appliances and all remote access systems
– MFA on all external-facing interfaces that is phishing resistant
– Monitoring endpoints for common tools such as Chisel, Rclone, and eavesdropping via ntuser.dat modification
– Strictly hardening any remote management tools
– Segmenting networks to restrict lateral movement
As Cactus builds momentum into 2025, proactive defense in addition to rapid patching and vigilant monitoring are imperative to mitigate risk of yet another increasingly advanced adversary.
You can download and review the sheet for all the details!
