A novel ransomware strain dubbed ‘Cactus’ has been found to be exploiting vulnerabilities in Fortinet VPN devices to gain initial access to corporate or other large-scale networks.
What is Cactus Ransomware?
Cactus, according to researchers, gains initial access to the victim network by exploiting known vulnerabilities in Fortinet VPN appliances. Using the vulnerabilities, the threat actor gained access to the networks of major commercial organizations.
According to researchers, once initial access is gained by exploiting vulnerabilities in Fortinet’s VPN devices, the hacker uses a batch script to fetch the encryptor’s binary executable using 7-Zip. Then, the original ZIP archive is removed and the binary file runs with a specific flag allowing it to execute as intended.
To establish persistence and store data in the C:\ProgramData\ntuser.dat file, attackers use the -s (setup) and -r (read configuration) command line arguments. The encryptor later accesses the file using the -r command line argument.
. When the binary is run with the right AES key alongside the -i flag, the ransomware unlocks its configuration information and starts searching for files to start a multi-thread encryption process.
Cactus also makes use of several legitimate programs to breach networks and target machines. The ransomware uses SoftPerfect Network Scanner (netscan) to look for targets on the networks combined with PowerShell commands for more in-depth recon.
If the victim fails to agree, the ransom note threatens to sell personal information, trade secrets, databases, and source codes to multiple threat actors.
Its recommended to update the latest software and patches to avoid from ransomware attack.