This blog post comes from the Cactus Ransomware Technical Analysis report. If you want to download it as a PDF click here
Executive Summary
The Cactus ransomware, initially observed in 2023. is a sophisticated malware variant that poses a significant threat to computer systems and their users. It operates by encrypting files on infected machines and demanding ransom payments from victims in exchange for decryption keys. Notably, Cactus ransomware utilizes advanced techniques such as GNU Linker and UPX packing to obfuscate its code and evade detection by security measures. Upon execution, it allocates dynamic memory, establishes mutexes, and schedules tasks to ensure persistence and hinder removal efforts. Moreover, Cactus ransomware employs OpenSSL for encryption, utilizing AES 256 CBC for file encryption, and offers both quick and full encryption modes based on file size. Additionally, it leverages system commands to manipulate shadow copies, modify boot configurations, and disable recovery options, further complicating recovery efforts.
As a result of its multifaceted approach and encryption capabilities, Cactus ransomware represents a significant cyber security threat, underscoring the importance of robust security measures and proactive defense strategies to mitigate its impact.
Scope
| Filename | 64md94-hohi-5mk2-15ro.exe (Packed) |
| Filetype | Win32 EXE |
| Written Language | C/C++ |
| MD5 | 1add9766eb649496bc2fa516902a5965 |
| SHA1 | 48d1971ec7b17adaa8189089a97503afa705ae14 |
| SHA256 | 0933f23c466188e0a7c6fab661bdb8487cf7028c5cec557efb75fde9879a6af8 |
| First Seen / Detection Date | 2023-04-24 |
| Initial Infection Vector | N/A |
| Filename | 64md94-hohi-5mk2-15ro.exe (Unacked) |
| Filetype | Win32 EXE |
| Written Language | C/C++ |
| MD5 | 6c8e0456d051af78ebf105ed8e3ec666 |
| SHA1 | 52442a9bc5b5767968b71148593b2ad664b1003e |
| SHA256 | 0f99e9767ac4b8950c2e6be2e33b5fe06fb400c65cb9af9d9e2b334d4dd73e33 |
| First Seen / Detection Date | N/A |
| Initial Infection Vector | N/A |
MITRE ATTA&CK Threat Matrix
- TA002 Execution
- T1053 Scheduled Task/Job
- T1053.005 Scheduled Task
- T1053 Scheduled Task/Job
- TA005 Defense Evasion
- T1027 Obfuscated Files or Information
- T1027.002 Software Packing
- T1562 Impair Defenses
- T1562.001 Disable or Modify Tools
- T1027 Obfuscated Files or Information
- TA007 Discovery
- T1083 File and Directory Discovery
- T1057 Process Discovery
- TA0040 Impact
- T1486 Data Encrypted for Impact
- T1489 Service Stop
- T1490 Inhibit System Recovery
Conclusion
Mitigation Strategies
Mitigation strategies against Cactus ransomware involve a combination of proactive measures to prevent infection and reactive steps to minimize damage if an infection occurs. Here are some key strategies:
Regular Backups: Implement a robust backup strategy to ensure that critical data is regularly backed up and stored securely offline or in a separate location. This can help restore files without paying the ransom in the event of an attack.
Network Segmentation: Implement network segmentation to isolate critical systems and data from the rest of the network. This can help contain the spread of ransomware and minimize the impact of an infection.
This blog post comes from the Cactus Ransomware Technical Analysis report. If you want to download it as a PDF click here
