A new ransomware operation called Cactus has been exploiting vulnerabilities in VPN appliances for initial access to networks of “large commercial entities.”
The Cactus ransomware operation has been active since at least March and is looking for big payouts from its victims.
While the new threat actor adopted the usual tactics seen in ransomware attacks - file encryption and data theft - it added its own touch to avoid detection.
Encrypted configuration twist
Researchers at Kroll corporate investigation and risk consulting firm believe that Cactus obtains initial access into the victim network by exploiting known vulnerabilities in Fortinet VPN appliances.
The assessment is based on the observation that in all incidents investigated the hacker pivoted inside from a VPN server with a VPN service account.
What sets Cactus apart from other operations is the use of encryption to protect the ransomware binary. The actor uses a batch script to obtain the encryptor binary using 7-Zip.
The original ZIP archive is removed and the binary is deployed with a specific flag that allows it to execute. The entire process is unusual and the researchers that this is to prevent the detection of the ransomware encryptor. ... ... ...
