The Cactus Ransomware Group employs a sophisticated multi-stage attack method, featuring social engineering and exploits to compromise targeted systems. Their toolkit includes ransomware delivery, stealthy lateral movement, and custom command-and-control tactics. Though an encryption attempt was thwarted, the group demonstrated readiness to carry out a full attack cycle. Affected: ransomware victims, manufacturing sector, retail sector, healthcare sector, education sector, finance sector, construction sector
Keypoints :
- The Cactus ransomware group executes a multi-stage attack involving social engineering, ESXi exploits, and custom C2 implants.
- Victims receive phishing emails and Microsoft Teams impersonation requests for remote sessions.
- Malicious files are disguised as legitimate OneDrive content, leading to payload execution.
- The attackers modify registry settings to establish persistent C2 communication.
- Despite attempting ransomware deployment, encryption was interrupted without success.
- The United States leads in ransomware incidents globally, significantly impacting various sectors.
- Manufacturing sector remains the most targeted, followed by retail and business services.
- Proactive cybersecurity measures are crucial to counteract increasing ransomware threats.
MITRE Techniques :
- Initial Access: Phishing & Social Engineering (T1566) – Email bomb campaigns and impersonation via Microsoft Teams.
- Execution: User Execution (T1204) – Victim downloads malicious .bpx files disguised as OneDrive content.
- Persistence: Registry Modification (T1112) – Registry key HKCUSOFTWARETitanPlus for backconnect C2 IP addresses.
- Privilege Escalation: DLL Sideloading (T1574.002) – Custom DLLs placed in trusted OneDrive directories for execution.
- Defence Evasion: Masquerading (T1036) – Use of OneDrive file names for stealth.
- Defence Evasion: Disabling Security Tools (T1562) – Disabled ESXi security settings to allow unauthorized binaries.
- Lateral Movement: SMB (T1021.002) and WinRM (T1021.006) – Utilization of file shares for network traversal.
- Command-and-Control: BackConnect Implants (T1573) – Dynamic C2 registration through registry keys.
- Command-and-Control: WinSCP Deployment (T1105) – Used for file transfer/exfiltration connecting to pumpkinrab.com.
- Impact: Ransomware Deployment (T1486) – Attempted encryption with ransom note delivery interrupted.
Indicator of Compromise :
- [File] C:UsersDownloadskb153056-01.bpx
- [File] C:UsersDownloadskb153064-02.bpx
- [File] C:UsersAppDataLocalMicrosoftOneDriveOneDriveStandaloneUpdater.exe
- [IP Address] 45.8.157.199
- [Domain] pumpkinrab.com
Full Story: https://redpiranha.net/news/threat-intelligence-report-march-4-march-10-2025