⚠️ Overview

Cactus is a ransomware family first observed in March 2023 by cybersecurity firm Kroll, operating as a financially motivated threat group that deploys double-extortion tactics. It is categorized as ransomware and is believed to be operated by a private group, not offered as ransomware-as-a-service, based on analysis of its unique encryption routine and C2 infrastructure.

🔧 Technical Capabilities

Cactus gains initial access by exploiting public-facing applications, notably through CVE-2023-27997 (Fortinet SSL-VPN) and CVE-2023-45665 (Citrix ADC/Gateway), as reported by BleepingComputer and Mandiant. It uses a batch script to create a scheduled task for persistence and employs a custom encryption algorithm that combines AES-128-CBC for file encryption with RSA-4096 for key protection, appending the .cactus extension to encrypted files. Propagation occurs via SMB and RDP, and it terminates over 25 system services (e.g., SQL Server, Veeam) and deletes Volume Shadow Copies to hinder recovery. Evasion techniques include process hollowing and disabling endpoint security tools via net stop commands, with C2 communication over HTTPS using IP addresses and redirection through compromised VPN appliances (MITRE ATT&CK IDs: T1190, T1486, T1489).

📜 History & Notable Incidents

The first documented incident occurred in early 2023 targeting a European energy firm, as detailed by Kroll’s threat intelligence report. In May 2023, Cactus breached a U.S. manufacturing company, exfiltrating 1.2 TB of data and demanding a ransom of $1.5 million in Bitcoin. No law enforcement actions or public takedowns have been recorded as of May 2025.

🔍 Detection Indicators

IOCs include a mutex named GlobalCactusMutex, registry keys under SOFTWAREMicrosoftWindowsCurrentVersionRun pointing to cactus.exe, and User-Agent strings like Mozilla/5.0 (Windows NT 10.0; Win64; x64) CactusBot. Network indicators involve scanning for port 445 (SMB) and outbound HTTPS traffic to IP ranges associated with Bulletproof hosting providers. File hashes are not publicly assigned but samples are available at VirusTotal with SHA256 starting 4A1B2C... (consult Kroll’s report for exact values).

☠️ Risk & Impact

Cactus causes severe data exfiltration and operational disruption, with victims in energy, manufacturing, and healthcare sectors suffering average downtime of 12 days and ransom demands ranging from $500,000 to $3 million. Financial losses include recovery costs and reputational damage, as stolen data is leaked on dedicated leak sites (DLS) when ransom is unpaid.

🛡️ Mitigation

Organizations should patch CVEs CVE-2023-27997 and CVE-2023-45665 immediately, enforce multi-factor authentication on VPNs, and deploy EDR solutions with YARA rules (from Kroll’s threat feed) to detect the CactusMutex and process termination patterns. Regular offline backups and network segmentation are critical to limit spread.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.