What is Cactus malware?

A relatively new player in the cybercrime landscape, it’s a RaaS sold or leased by its developers to affiliates who carry out attacks. It uses both technical exploits and evasive maneuvers to compromise networks, encrypt data, and extort victims.

Cactus infiltrates networks by brute-forcing credentials and exploiting known vulnerabilities in VPN appliances and remote access solutions, such as Fortinet, Citrix, Qlik Sense. Threat actors also purchase stolen credentials or use brute-force attacks against Remote Desktop Protocol (RDP) services.

Phishing and malwertising campaigns may also be used to harvest employee login details. Once inside, attackers perform reconnaissance, escalate privileges, and move laterally, often targeting critical systems like domain controllers.

Cactus operates as a double-extortion ransomware, meaning it doesn’t just encrypt files—it also steals data and threatens to leak it. Some reports suggest it employs triple-extortion by targeting victims’ partners or clients with threats to increase pressure. The double- or triple-extortion model makes it especially harmful to organizations handling sensitive customer data, intellectual property, or proprietary information, as leaks can lead to regulatory fines and reputational damage.

The entire process can unfold rapidly—sometimes within 24 hours of initial access, especially if a vulnerability is freshly disclosed.

Cactus encrypts itself before execution, making detection more difficult. It uses AES-RSA encryption to lock files and appends a .cts or .cactus extension.

The malware drops a ransom note demanding payment through Tor-based negotiation sites.

Cactus Ransomware’s Prominent Features

• A specter of approaches for infiltrating network: remote access and VPN apps abuse via vulnerabilities, stolen and bought credentials; pen test tools abuse; phishing, malvertising.
• Cactus encrypts its own binaries, making it harder for antivirus software to detect it as malicious
• Triple extortion tactic: in addition to encrypting and stealing victims’ data, Cactus threatens their counterparties and partners, directly communicates with relevant stakeholders to increase the perceived urgency of ransom demands.
• Rapid threat: capable of exploiting vulnerabilities days or hours after they were disclosed.

Cactus’s Execution Process and Technical Details

Among millions of malware analysis sessions conducted in the ANY.RUN sandbox, there is a number of Cactus fresh samples. Let’s see it in action in safe VM environment.

View sandbox analysis

The core of Cactus ransomware's functionality lies in its payload execution. It employs a combination of AES-256 and RSA-4096 encryption algorithms to encrypt files on infected systems. The ransomware checks for specific command-line arguments upon execution; if certain flags are present, it alters its behavior accordingly. For example, if executed without specific flags, it begins encrypting files throughout the system while appending unique extensions to encrypted files.

During encryption, Cactus ransomware also deletes shadow copies and terminates essential services that could interfere with its operations. The ransomware scans all drives for files to encrypt, excluding certain file types like executables and system files to maintain operational integrity. Upon completion of the encryption process, a ransom note is dropped into each affected directory, demanding payment for file recovery.

Cactus Ransomware analysis inside ANY.RUN's Interactive Sandbox

After encryption, Cactus deletes itself by execution CMD with command-line of deletion with delay.

• Attackers employ Cobalt Strike, Metasploit, and Brute Ratel for privilege escalation and lateral movement within the network.
• Cactus deploys legitimate remote access tools (e.g., AnyDesk, Splashtop) and malicious ones (e.g., Cobalt Strike, Chisel) to maintain access. It often targets credentials stored in memory (e.g., via LSASS dumps) or in tools like KeePass, escalating privileges to domain admin levels.
• The malware abuses PowerShell scripts to modify system settings, disables endpoint detection and response (EDR) tools, creates scheduled tasks and registry keys for persistence.
• It uses RDP, PsExec, and Windows Management Instrumentation (WMI) to spread across the network.
• Exfiltrates data before encryption using tools like Rclone, MegaSync, or cloud services (Google Drive, Dropbox).
• AES-RSA hybrid encryption is used to lock files; a .cts or .cactus extension is added to files, ransom note is generated.
• Data is uploaded using encrypted channels, making network detection harder.
• To evade detection, leverages Windows Native Tools (LOLBins: cmd.exe, wmic.exe, rundll32.exe).
• Uses wevtutil and PowerShell commands to clear security logs and hide evidence

What are the examples of the best-known Cactus attacks?

1. Schneider Electric Attack (January 2024): a global leader in energy management and automation experienced a Cactus ransomware attack. The breach disrupted the company's Sustainability Business division and led to the theft of terabytes of corporate data. The attackers threatened to leak the stolen information if the ransom demands were not met.
2. Housing Authority of the City of Los Angeles (HACLA) Breach (November 2024): This incident compromised sensitive information, highlighting the vulnerability of public sector organizations to sophisticated ransomware operations.
3. CIE Automotive Incident (August 2023): The breach of a prominent automotive supplier underscored the susceptibility of the automotive industry to cyber threats, especially those leveraging internet technologies.
4. Exploitation of Qlik Sense Servers (April 2024): Cactus operators exploited vulnerabilities in Qlik Sense, a data analytics platform, specifically flaws like CVE-2023-41265 and CVE-2023-41266. These allowed unauthorized access to corporate networks. One documented case involved a U.S.-based organization where attackers initiated the attack just days after the vulnerabilities were disclosed, highlighting Cactus’s speed in exploiting fresh flaws.
5. Cactus has been linked to attacks on companies like Marfrig Global Foods and MINEMAN Systems, both of which influence global supply chains. These attacks often involve pivoting from one compromised entity to its partners or clients, amplifying disruption. For instance, after breaching a primary target, Cactus operators have been known to use stolen credentials to access related networks, threatening to leak data from multiple entities unless ransoms are paid—a form of triple-extortion.

These incidents illustrate Cactus ransomware's strategic targeting of diverse industries, its sophisticated infiltration methods, and the substantial impact on affected organizations.

Gathering threat intelligence on Cactus malware

Threat intelligence is critical for staying ahead of Cactus, given its rapid evolution and use of fresh exploits. Leverage TI to hunt for IOCs specific to Cactus, like known C2 domains, IPs, or file hashes. Focus on TTPs (tactics, techniques, procedures) shared by TI reports, such as self-encryption or LotL behaviors, to build detection rules in SIEM systems.

Use ANY.RUN’s Threat Intelligence Lookup: start with searching by the ransomware name and dive into IOCs and TTPs research along with analysis sessions from the Sandbox.

threatName:"cactus"

Cactus samples with basic IOCs

Study Cactus ransomware behavior: see how a malicious process unwraps

Details on Cactus actions in the system

Conclusion

Cactus ransomware is a highly sophisticated threat leveraging self-encrypting payloads, living-off-the-land techniques, and double extortion. Its targeted nature makes it a high-risk ransomware strain for enterprises.

By leveraging threat intelligence, proactive threat hunting, and strong security controls, organizations can detect and mitigate Cactus ransomware infections before they cause irreparable damage.

Start with 50 requests in TI Lookup to collect IOCs on Cactus and be ready to detect and respond