Security researchers at U.S.-based Kroll Inc. have discovered a new type of ransomware. The unique feature of the so-called Cactus ransomware: it can bypass endpoint security by encrypting itself, Bleeping Computer reports.
Discovered in March, Cactus is in many ways an ordinary variant of ransomware. For example, it exploits known vulnerabilities in Fortinet VPN equipment to infiltrate a corporate network. It then spreads and aims to steal data and impose encryption on it. The end goal of ransomware criminals is usually to extort an affected organization. In exchange for payment, an organization receives the unique key to regain access to the stolen data. Although there are still companies that pay the ransom, this group has decreased in number over the past year.
Encryption
Cactus distinguishes itself by expanding its encryption capabilities. Where usual ransomware only encrypts files, Cactus is able to make its own binary inaccessible. This makes it a lot harder for security software to detect.
Cactus uses a batch script to obtain the encryptor via 7-Zip, which disappears again after encryption. Another batch script uninstalls antivirus software so that Cactus remains undetected for longer. These steps are important to extend the dwell time, or the period during which ransomware resides in a corporate network. A longer dwell time makes detection more likely, but leads to greater spread, more encryption and more headaches for an organization.
Leak site
Another notable deviation from Cactus is that, for now, it does not have a leak site. Ransomware groups in many cases use such sites to threaten to publish sensitive data. For example, the LockBit 3.0 software has extorted many organizations using this extortion technique. Since Cactus has only been operating since March, it is possible that a leak site is still in the offing.
Developments around ransomware are happening at lightning speed, and for good reason. Security experts are constantly identifying potential software vulnerabilities. In addition, large tech companies have bug bounty programs to make their services more secure. As an organization, being aware of security threats is paramount. Fortinet is working hard to close such vulnerabilities in its VPN products, but many companies are not living up to key security principles.
4 hours ago
