Cactus Ransomware Technical Analysis

This blog post comes from the Cactus Ransomware Technical Analysis report. If you want to download it as a PDF click here

Executive Summary

The Cactus ransomware, initially observed in 2023. is a sophisticated malware variant that poses a significant threat to computer systems and their users. It operates by encrypting files on infected machines and demanding ransom payments from victims in exchange for decryption keys. Notably, Cactus ransomware utilizes advanced techniques such as GNU Linker and UPX packing to obfuscate its code and evade detection by security measures. Upon execution, it allocates dynamic memory, establishes mutexes, and schedules tasks to ensure persistence and hinder removal efforts. Moreover, Cactus ransomware employs OpenSSL for encryption, utilizing AES 256 CBC for file encryption, and offers both quick and full encryption modes based on file size. Additionally, it leverages system commands to manipulate shadow copies, modify boot configurations, and disable recovery options, further complicating recovery efforts.

As a result of its multifaceted approach and encryption capabilities, Cactus ransomware represents a significant cyber security threat, underscoring the importance of robust security measures and proactive defense strategies to mitigate its impact.


Filename64md94-hohi-5mk2-15ro.exe (Packed)
FiletypeWin32 EXE
Written LanguageC/C++
First Seen / Detection Date2023-04-24
Initial Infection VectorN/A
Table 1: File Fingerprints
Filename64md94-hohi-5mk2-15ro.exe (Unacked)
FiletypeWin32 EXE
Written LanguageC/C++
First Seen / Detection DateN/A
Initial Infection VectorN/A
Table 2: File Fingerprints

MITRE ATTA&CK Threat Matrix

  • TA002 Execution
    • T1053 Scheduled Task/Job
      • T1053.005 Scheduled Task
  • TA005 Defense Evasion
    • T1027 Obfuscated Files or Information
      • T1027.002 Software Packing
    • T1562 Impair Defenses
      • T1562.001 Disable or Modify Tools
  • TA007 Discovery
    • T1083 File and Directory Discovery
    • T1057 Process Discovery
  • TA0040 Impact
    • T1486 Data Encrypted for Impact
    • T1489 Service Stop
    • T1490 Inhibit System Recovery


Mitigation Strategies

Mitigation strategies against Cactus ransomware involve a combination of proactive measures to prevent infection and reactive steps to minimize damage if an infection occurs. Here are some key strategies:

Regular Backups: Implement a robust backup strategy to ensure that critical data is regularly backed up and stored securely offline or in a separate location. This can help restore files without paying the ransom in the event of an attack.

Network Segmentation: Implement network segmentation to isolate critical systems and data from the rest of the network. This can help contain the spread of ransomware and minimize the impact of an infection.

This blog post comes from the Cactus Ransomware Technical Analysis report. If you want to download it as a PDF click here

Share This: