CACTUS Ransomware Group
| Actor Type | Criminal Group |
|---|
CACTUS is ransomware group observed targeting victims since at least March 2023. The name CACTUS has been derived from the ransom note left with an intrusion: 'cAcTuS.readme.txt'.
Researchers from Kroll note that CACTUS commonly uses tools including Chisel, Rclone, TotalExec, Scheduled Tasks and that they have been observed gaining initial access through exploitation of VPN appliances.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
CACTUS Ransomware Group Threat Reports
Report
CACTUS Ransomware: Prickly New Variant Evades Detection
This report by Kroll outlines TTPs and IoCs associated with CACTUS ransomware actors.
References
MITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1486 | Data Encrypted for Impact | Impact |
| T1090 | Proxy | Command and Control |
| T1219 | Remote Access Software | Command and Control |
| T1567.002 | Exfiltration to Cloud Storage | Exfiltration |
| T1119 | Automated Collection | Collection |
| T1570 | Lateral Tool Transfer | Lateral Movement |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1018 | Remote System Discovery | Discovery |
| T1087 | Account Discovery | Discovery |
| T1087.002 | Domain Account | Discovery |
| T1049 | System Network Connections Discovery | Discovery |
| T1003 | OS Credential Dumping | Credential Access |
| T1555.003 | Credentials from Web Browsers | Credential Access |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1027.002 | Software Packing | Defense Evasion |
| T1562.001 | Disable or Modify Tools | Defense Evasion |
| T1136 | Create Account | Persistence |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1059 | Command and Scripting Interpreter | Execution |
| T1190 | Exploit Public-Facing Application | Initial Access |