CACTUS ransomware

Sep 08, 2023

Wed, May 10, 2023

Laurie Iacono

Stephen Green

Dave Truman

Kroll Cyber Threat Intelligence analysts have identified a new strain of ransomware, named CACTUS, targeting large commercial entities since March 2023. The name "CACTUS" is derived from the filename provided within the ransom note, cAcTuS.readme.txt, and the self-declared name within the ransom note itself. Encrypted files are appended with .cts1, although Kroll notes the number at the end of the extension has been observed to vary across incidents and victims. Kroll has observed exfiltration of sensitive data and victim extortion over the peer-to-peer messaging service known as Tox, but a known victim leak site was not identified at the time of analysis.

In Kroll's experience, CACTUS has deployed an overlapping set of tactics, techniques, and procedures (TTPs). These include the use of tools such as Chisel, Rclone, TotalExec, Scheduled Tasks, and custom scripts to disable security software to distribute the ransomware binary. Kroll has observed threat actors gaining initial access through exploitation of VPN appliances. Interestingly, CACTUS was observed leveraging a file named ntuser.dat within C:\ProgramData to pass an AES key to decrypt the RSA public key to decrypt the binary, which is used for persistent execution via Scheduled Tasks.

Based upon available intelligence at the time of this bulletin, the most likely Stage 1 Initial Exploit of the Kroll Intrusion Lifecycle is provided via the exploitation of vulnerable VPN appliances. This tactic has been assessed and observed being a common thread across several CACTUS incidents that Kroll has investigated. In all cases observed, the threat actor's access was obtained from a VPN server with a VPN service account. Following this, an SSH backdoor is established to the threat actor's command and control (C2) to maintain persistent access via Scheduled Tasks.

Figure 1 – install.bat

MITRE ATT&CK - T1190: Exploit Public-Facing ApplicationMITRE ATT&CK - T1021.004: SSHMITRE ATT&CK - T1053.005: Scheduled Task

Once inside the network, the threat actor conducts initial internal scouting via SoftPerfect Network Scanner (netscan). PowerShell commands are executed to enumerate endpoints, view Windows Security 4624 events to identify user accounts, and ping remote endpoints. The output from these commands is saved into text files on the host machine. The output files are later used for execution of the ransomware binary.

Figure 2 – PowerShell Enumeration

Kroll has also identified a modified version of an open-sourced script which acts as an NMAP equivalent for PowerShell, named PSnmap.ps1. This is also executed to identify other endpoints within the network.

MITRE ATT&CK - T1049: System Network Connections DiscoveryMITRE ATT&CK - T1087.002: Domain AccountMITRE ATT&CK - T1018: Remote System DiscoveryMITRE ATT&CK - T1087: Account Discovery

To maintain persistence within the environment, the threat actor attempts to create a number of remote access methods. Kroll has identified the use of legitimate remote access tools such as Splashtop, AnyDesk and SuperOps RMM, along with Cobalt Strike and the use of Chisel, a SOCKS5 proxy tool. Chisel assists with tunnelling traffic through firewalls to provide hidden communications to the threat actor's C2 and is likely used to pull additional scripts and tooling onto the endpoint.

Once the threat actor has established the correct level of access (see: Escalation), they then execute a batch script which leverages msiexec to uninstall common anti-virus software via the software GUID, and in at least one (1) incident, the Bitdefender uninstaller as shown in Figure 3.

Figure 3 – Section of Batch Script to Disable Anti-Virus

MITRE ATT&CK - T1219: Remote Access SoftwareMITRE ATT&CK - T1090: ProxyMITRE ATT&CK - T1562.001: Disable or Modify Tools

To gain credentials sufficient for execution and lateral movement, the threat actor has commonly attempted to dump credentials from user web browsers and manually searching the disk for a file containing passwords. Additionally, they may also attempt LSASS credential dumping for later privilege escalation. A further batch script is then leveraged to add privileged accounts to remote endpoints. This activity is discussed later in the report.

Figure 4 – f1.bat Adding Local Admin Accounts

MITRE ATT&CK - T1136: Create AccountMITRE ATT&CK - T1555.003: Credentials from Web BrowsersMITRE ATT&CK - T1003: OS Credential Dumping

Lateral movement has been observed being conducted by valid or created accounts and the remote desktop protocol (RDP). However, remote management tools such as Super Ops have also been used for lateral movement.

MITRE ATT&CK - T1021.001: Remote Desktop Protocol MITRE ATT&CK - T1072: Software Deployment Tools

As with many ransomware groups, CACTUS actors also attempt to exfiltrate sensitive data to increase the pressure of extortion. Kroll has observed common exfiltration tools such as Rclone, being used to automatically extract files to cloud storage.

MITRE ATT&CK - T1567.002: Exfiltration to Cloud Storage

Once data has been exfiltrated, the threat actor begins to prepare to encrypt devices. Utilizing a script often leveraged by BLACKBASTA known as TotalExec.ps1 which uses PsExec to automate the deployment of the encryptor and this case, the f1.bat script shown in Figure 4 and f2.bat shown in Figure 5. As previously discussed, the batch script f1.bat is deployed first to create a new admin user account which then adds a second script named f2.bat as an autorun at the machine level before restarting the device. The f2.bat can be seen in Figure 6, shows a batch script used to extract the ransomware encryptor binary with 7zip before then removing the zip file and executing the binary with a set flag which enables the binary to execute. This is then executed remotely by PsExec across the list of devices in the ips.txt file created earlier.

Figure 5 – TotalExec.ps1 Execution

Figure 6 – f2.bat Execution of Ransomware Encryptor Binary

The binary itself is interesting, it is usually named the same as the individual victim ID that is used for negotiations and that is normally structured in regex [a-z1-9]{4}-[a-z1-9]{4}-[a-z1-9]{4}-[a-z1-9]{4}\.exe for example "a12b-e4fg-c12g-zkc2.exe" where the name before the ".exe" acts as the victim ID.

The UPX packed executable has 3 main modes of execution controlled by command line switches. A full flow of the execution process can be seen in Figure 16.

This mode is triggered by being passed a "-s" flag on the command line and its purposes is to set itself up as persistence and then call itself again during the next mode.

In this mode it will copy its own executable file to the C:\ProgramData\{Victim_ID}.exe for example: C:\ProgramData\abc1-d2ef-gh3i-4jkl.exe.

The ransomware then writes a junk data wrapped, hexadecimal encoded config file to C:\ProgramData\ntuser.dat containing the path to the original exe, a base64 string that was the passed in with the "–i" command line argument with any remaining command line arguments. The hexadecimal string is further obfuscated by pushing the alignment of each two-character byte representation out by one character.

Figure 7 – First 100 bytes of C:\ProgramData\ntuser.dat

Figure 8 - Data of C:\ProgramData\ntuser.dat with Standard Hex Decoding

Figure 9 - Data of C:\ProgramData\ntuser.dat with Hex Decoding and Adjusted Alignment

Figure 10 - Ransomware Configuration Hidden Amongst Junk Text Extracted from C:\ProgramData\ntuser.dat

Once CACTUS has created the ntuser.dat file, it proceeds to create and execute a scheduled task that runs command C:\ProgramData\{Victim_ID}.exe -r

The setup CACTUS process now terminates.

When being called from the scheduled task with the "-r" option the ransomware reads the ntuser.dat file and extracts the three fields.

The CACTUS process then deletes the executable file referenced in the first field. It then spawns another instance of itself passing in the second field as the parameter to the "–i" option, and then appends the third field which contains any remaining arguments to the command line.

The Read Configuration Mode Cactus instances now exits.

When the Ransomware is spawned without the -s or -r parameters it will attempt file system encryption. The malware decodes a hardcode hex string. This hex string can easily be found within the binary once it has been unpacked.

Figure 11 – Hex String

Once it has decoded the hex string it then proceeds to decrypt the resulting data using the AES algorithm with the "-i" parameter and a hardcoded initialization vector. The resulting plain text is loaded into a Public RSA key object.

Figure 12 – AES Decryption of Public RSA Key

The malware then searches the filesystem for files and starts multiple threads to encrypt them. In order to encrypt a large number of files efficiently it uses OpenSSL's envelope implementation from a statically linked function. First, a random AES key is generated to encrypt a file, then the AES key itself is encrypted by the public RSA key. This creates an "envelope" which contains the AES encrypted file and the RSA encrypted AES key. Therefore, to decrypt the file, the private RSA key is required to extract the AES key.

Figure 13 – File Encryption Process

Figure 14 – File Encryption with AES, RSA and OpenSSL

The malware continues to encrypt files until completion.

Once executed files are appended with the extension "cts\d" with the last character being an interchangeable digit. A ransom note is then created named "cAcTuS.readme.txt" with details on how the victim can negotiate over TOX chat. Most ransomware groups list a shaming site, however this has not been identified at this time, nor has any other area of data disclosure.

Figure 15 – CACTUS Ransom Note

As of the writing of this bulleting, Kroll had not yet identified a "shaming site" or victim identification-related blog authored by CACTUS for purposes of sharing victim data if a ransom was not paid. In terms of ransom, there is not currently enough data to provide an average starting price. It is also yet to be seen what would happen if a ransom were not paid and how successful any threat actor provided decryptor may be.

MITRE ATT&CK - T1027.002: Software PackingMITRE ATT&CK - T1486: Data Encrypted for ImpactMITRE ATT&CK - T1027: Obfuscated Files or InformationMITRE ATT&CK - T1570: Lateral Tool Transfer

Figure 16 – Ransomware Binary Execution

Kroll have provided a simple python script to decode the ntuser.dat file associated with CACTUS.

TA0001

T1190

Exploit Public-Facing Application

TA0002

T1059

Command and Scripting Interpreter

T1053.005

Scheduled Task

T1072

Software Deployment Tools

TA0003

T1053.005

Scheduled Task

T1136

Create Account

TA0004

T1053.005

Scheduled Task

TA0005

T1562.001

Disable or Modify Tools

T1027.002

Software Packing

T1027

Obfuscated Files or Information

TA006

T1555.003

Credentials from Web Browsers

T1003

OS Credential Dumping

TA0007

T1049

System Network Connections Discovery

T1087.002

Domain Account

T1087

Account Discovery

T1018

Remote System Discovery

TA0008

T1021.001

Remote Desktop Protocol

T1072

Software Deployment Tools

T1570

Lateral Tool Transfer

TA0009

T1119

Automated Collection

TA0010

T1567.002

Exfiltration to Cloud Storage

TA0011

T1219

Remote Access Software

T1090

Proxy

TA0040

T1486

Data Encrypted for Impact

Kroll has identified recommendations relating to this alert:

Monitor PowerShell ExecutionEnsure PowerShell is logged and create detections for encoded script execution

Audit User, Administrator and Service AccountsEnsure accounts have the correct access and privileges. Implement the principle of least privilege.

Implement Multi-factor AuthenticationMulti-factor authentication can restrict access to sensitive areas and can prevent lateral movement.

Review Backup StrategiesEnsure multiple backups are taken and at least one backup is isolated from the network.

Kroll's threat intelligence team has created and deployed detection rules for CACTUS. If you have any questions, please contact your technical account manager or submit a support ticket.

If you're unsure about your detection capabilities for CACTUS (or any other ransomware variant), get in touch with a Kroll expert today.

The following files and hashes have been identified for the incident.

The following external IP addresses were observed during the incident:

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

Enlist experienced responders to handle the entire security incident lifecycle.

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Kroll's ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

In a business email compromise (BEC) attack, fast and decisive response can make a tremendous difference in limiting financial, reputational and litigation risk. With decades of experience investigating BEC scams across a variety of platforms and proprietary forensic tools, Kroll is your ultimate BEC response partner.

Cyber incident remediation and recovery services are part of Kroll's Complete Response capabilities, expediting system recovery and minimizing business disruption.

Validate your cyber defenses against real-world threats. Kroll's world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.