A cybercriminal group has been compromising enterprise networks for the past two months and has been deploying a new ransomware program that researchers dubbed CACTUS. In the attacks seen so far the attackers gained access by exploiting known vulnerabilities in VPN appliances, moved laterally to other systems, and deployed legitimate remote monitoring and management (RMM) tools to achieve persistence on the network.
“The name ‘CACTUS’ is derived from the filename provided within the ransom note, cAcTuS.readme.txt, and the self-declared name within the ransom note itself,” researchers with Kroll Cyber Threat Intelligence said in a new report. “Encrypted files are appended with .cts1, although Kroll notes the number at the end of the extension has been observed to vary across incidents and victims. Kroll has observed exfiltration of sensitive data and victim extortion over the peer-to-peer messaging service known as Tox, but a known victim leak site was not identified at the time of analysis.”