Major commercial organizations are having their networks infiltrated by the new Cactus ransomware operation through the exploitation of VPN appliance vulnerabilities
since March, according to BleepingComputer
Both file encryption and data exfiltration are being utilized by Cactus ransomware, but the group has been leveraging encryption for ransomware binary protection in a bid to better evade detection, a report from Kroll showed. After securing the encryptor binary with 7-Zip through a batch script, Cactus proceeds to remove the original ZIP archive and distributes the binary with a specific flag for execution. Threat actors then input a unique AES key through the encryption command line argument to enable file encryption.
"CACTUS essentially encrypts itself, making it harder to detect and helping it evade antivirus and network monitoring tools," said Kroll Associate Managing Director for Cyber Risk Laurie Iacono.
Cactus has also been noted by ransomware expert Michael Gillespie to have been using various extensions for targeted files.