CACTUS Ransomware Group

Actor Type	Criminal Group

CACTUS is ransomware group observed targeting victims since at least March 2023. The name CACTUS has been derived from the ransom note left with an intrusion: 'cAcTuS.readme.txt'.

Researchers from Kroll note that CACTUS commonly uses tools including Chisel, Rclone, TotalExec, Scheduled Tasks and that they have been observed gaining initial access through exploitation of VPN appliances.

Cyber Threat Graph Context

Explore how this Intrusion Set relates to the wider threat graph

CACTUS Ransomware Group Threat Reports

Report

CACTUS Ransomware: Prickly New Variant Evades Detection

This report by Kroll outlines TTPs and IoCs associated with CACTUS ransomware actors.

View Source

References

www.bleepingcomputer.com

https://www.bleepingcomputer.com/news/security/energy-giant-schneider-electric-hit-by-cactus-ransomware-attack/

www.kroll.com

https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection

MITRE ATT&CK Techniques

MITRE ATT&CK techniques observed in use by this intrusion set.

Search:

ATT&CK ID	Title	Associated Tactics
T1486	Data Encrypted for Impact	Impact
T1090	Proxy	Command and Control
T1219	Remote Access Software	Command and Control
T1567.002	Exfiltration to Cloud Storage	Exfiltration
T1119	Automated Collection	Collection
T1570	Lateral Tool Transfer	Lateral Movement
T1021.001	Remote Desktop Protocol	Lateral Movement
T1018	Remote System Discovery	Discovery
T1087	Account Discovery	Discovery
T1087.002	Domain Account	Discovery
T1049	System Network Connections Discovery	Discovery
T1003	OS Credential Dumping	Credential Access
T1555.003	Credentials from Web Browsers	Credential Access
T1027	Obfuscated Files or Information	Defense Evasion
T1027.002	Software Packing	Defense Evasion
T1562.001	Disable or Modify Tools	Defense Evasion
T1136	Create Account	Persistence
T1072	Software Deployment Tools	Execution, Lateral Movement
T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation
T1059	Command and Scripting Interpreter	Execution
T1190	Exploit Public-Facing Application	Initial Access

Showing 1 to 21 of 21 entries