Threat Intelligence Report : Cactus Ransomware

The Cactus Ransomware Group employs a sophisticated multi-stage attack method, featuring social engineering and exploits to compromise targeted systems. Their toolkit includes ransomware delivery, stealthy lateral movement, and custom command-and-control tactics. Though an encryption attempt was thwarted, the group demonstrated readiness to carry out a full attack cycle. Affected: ransomware victims, manufacturing sector, retail sector, healthcare sector, education sector, finance sector, construction sector

Keypoints :

  • The Cactus ransomware group executes a multi-stage attack involving social engineering, ESXi exploits, and custom C2 implants.
  • Victims receive phishing emails and Microsoft Teams impersonation requests for remote sessions.
  • Malicious files are disguised as legitimate OneDrive content, leading to payload execution.
  • The attackers modify registry settings to establish persistent C2 communication.
  • Despite attempting ransomware deployment, encryption was interrupted without success.
  • The United States leads in ransomware incidents globally, significantly impacting various sectors.
  • Manufacturing sector remains the most targeted, followed by retail and business services.
  • Proactive cybersecurity measures are crucial to counteract increasing ransomware threats.

MITRE Techniques :

  • Initial Access: Phishing & Social Engineering (T1566) – Email bomb campaigns and impersonation via Microsoft Teams.
  • Execution: User Execution (T1204) – Victim downloads malicious .bpx files disguised as OneDrive content.
  • Persistence: Registry Modification (T1112) – Registry key HKCUSOFTWARETitanPlus for backconnect C2 IP addresses.
  • Privilege Escalation: DLL Sideloading (T1574.002) – Custom DLLs placed in trusted OneDrive directories for execution.
  • Defence Evasion: Masquerading (T1036) – Use of OneDrive file names for stealth.
  • Defence Evasion: Disabling Security Tools (T1562) – Disabled ESXi security settings to allow unauthorized binaries.
  • Lateral Movement: SMB (T1021.002) and WinRM (T1021.006) – Utilization of file shares for network traversal.
  • Command-and-Control: BackConnect Implants (T1573) – Dynamic C2 registration through registry keys.
  • Command-and-Control: WinSCP Deployment (T1105) – Used for file transfer/exfiltration connecting to pumpkinrab.com.
  • Impact: Ransomware Deployment (T1486) – Attempted encryption with ransom note delivery interrupted.

Indicator of Compromise :

  • [File] C:UsersDownloadskb153056-01.bpx
  • [File] C:UsersDownloadskb153064-02.bpx
  • [File] C:UsersAppDataLocalMicrosoftOneDriveOneDriveStandaloneUpdater.exe
  • [IP Address] 45.8.157.199
  • [Domain] pumpkinrab.com

Full Story: https://redpiranha.net/news/threat-intelligence-report-march-4-march-10-2025