Caktus Ransomware creates a thorny situation in the internet

Emre Çitak
May 8, 2023

A new ransomware operation, named Caktus ransomware, has been targeting large commercial entities since March this year. The threat actor behind Caktus has been exploiting vulnerabilities in VPN appliances to gain initial access to networks.

This operation has been seeking significant payouts from its victims, and while it employs common ransomware tactics such as file encryption and data theft, it utilizes unique methods to avoid detection.

According to researchers at Kroll corporate investigation and risk consulting firm, the Caktus ransomware operation has been exploiting known vulnerabilities in Fortinet VPN appliances to gain initial access to victim networks.

The researchers observed that in all incidents investigated, the hacker pivoted inside from a VPN server with a VPN service account. This approach highlights the importance of patching and securing VPN appliances and other network entry points to prevent threat actors from exploiting known vulnerabilities.

Caktus ransomware
Caktus ransomware has been researched by Kroll

Caktus ransomware's unique method of self-encryption

What sets Caktus apart from other ransomware operations is its use of encryption to protect the ransomware binary. The threat actor uses a batch script to obtain the encryptor binary using 7-Zip. The entire process is unusual and researchers believe that this is to prevent the detection of the ransomware encryptor. Caktus essentially encrypts itself, making it more difficult to detect and evade antivirus and network monitoring tools.

Once inside a network, Caktus uses a scheduled task for persistent access and relies on SoftPerfect Network Scanner (netscan) to identify interesting targets on the network. The threat actor uses PowerShell commands to enumerate endpoints, identify user accounts, and ping remote hosts for deeper reconnaissance. Kroll investigators found that Caktus also used a modified variant of the open-source PSnmap Tool and tried multiple remote access methods through legitimate tools and the Go-based proxy tool Chisel.

Caktus ransomware steals data from victims, which is transferred to cloud storage using the Rclone tool. After exfiltrating data, the hackers use a PowerShell script called TotalExec to automate the deployment of the encryption process. The encryption routine in Caktus ransomware attacks is unique, but a similar encryption process has been recently adopted by the BlackBasta ransomware gang.

Caktus ransomware
Caktus ransomware is after victims' data

The impact of Caktus ransomware attacks

While there is no public information about the ransoms that Caktus demands from its victims, sources suggest that they are in the millions. Although the hackers do not appear to have set up a leak site, they do threaten victims with publishing the stolen files unless they receive payment. The incursions by Caktus so far likely leveraged vulnerabilities in the Fortinet VPN appliance and followed the standard double-extortion approach by stealing data before encrypting it.

How to protect yourself against Caktus ransomware?

To protect against the final and most damaging stages of a ransomware attack, it is recommended to apply the latest software updates, monitor the network for large data exfiltration tasks, and respond quickly.

Organizations should prioritize patching vulnerabilities in their VPN appliances and other network entry points to prevent threat actors from exploiting known vulnerabilities. Additionally, implementing multi-factor authentication and endpoint security solutions can provide an extra layer of defense against ransomware attacks. Here are the Best VPN Extensions for Google Chrome and to stay secure.


Tutorials & Tips

Previous Post: «
Next Post: «


There are no comments on this post yet, be the first one to share your thoughts!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.