SECURITY
SECURITY
SECURITY
New Cactus ransomware encrypts itself to avoid detection by security software
A new ransomware group targeting vulnerabilities in virtual private network appliances has been found that has a unique twist: The ransomware encrypts itself to avoid detection by security software.
Discovered by security researchers at Kroll LLC, the ransomware, dubbed “Cactus,” is believed to have first been deployed in March. The ransomware targets known vulnerabilities in Fortinet Inc. VPN appliances to gain access to major organizations before getting to work.
Cactus goes through the regular ransomware steps – spreading through a targeted network, stealing and encrypting files as it goes along, but its obfuscation technique is what makes it interesting compared to various forms of ransomware before it.
Bleeping Computer reported Sunday that Catcus uses encryption to protect the ransomware binary. Those behind Cactus use a batch script to obtain the encryptor binary using 7-Zip, avoiding detection by antivirus and other security tools. The original ZIP archive is then removed and the binary is deployed with a specific flag that allows it to execute.
Cactus’s attempts to remain unseen do not stop there, however. The ransomware also deploys a batch script that removes the most commonly used antivirus products as well.
Although the group steals data from its victims, transferring it using the Rclonbe tool, Cactus has not set up a leak site. Whereas ransomware operators typically direct victims to a leak site for more information, the ransom note from Cactus asks victims to contact them by email or a backup chat service to recover their files and prevent data disclosure.
“This is yet another way for ransomware to completely evade the endpoint security tools such as antivirus and endpoint detection and response and highlights just how easy it is for the threat actors to kick off a ransomware attack despite the most sophisticated detection tools on the planet,” Steve Hahn, executive vice president of ransomware containment company BullWall Ltd., told SiliconANGLE. “Every year, ransomware completely takes down thousands of enterprises. In each such event, the impacted companies invested heavily in prevention tools and were given guarantees such as ‘completely effective against ransomware.'”
Every ransomware event found a way to disable or evade those tools, Hahn added. “It’s simply a matter of time before any business is hit, loses their infrastructure for weeks and critical data permanently.”
Photo: Jorge Láscar/Flickr
A message from John Furrier, co-founder of SiliconANGLE:
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
