Security researchers from the American company Kroll Inc. have discovered a new type of ransomware, dubbed ‘Cactus’. This ransomware is unique in that it can bypass endpoint security by encrypting itself, as reported by Bleeping Computer.
Discovered in March, Cactus is similar to other ransomware variants in that it exploits known vulnerabilities in Fortinet VPN equipment to infiltrate a company network. It then spreads and attempts to steal data, encrypting it in the process. The end goal of ransomware criminals is usually to extort an affected organization, offering a unique key in exchange for payment. While there are still companies that pay the ransom, this number has decreased over the past year.
Cactus stands out by expanding its encryption options. While typical ransomware only encrypts files, Cactus is able to make its own binary inaccessible, making it more difficult for security software to detect. It uses a batch script to get the encryptor via 7-Zip, which disappears after encryption. Another batch script uninstalls antivirus software, allowing Cactus to remain undetected for longer. These steps are important to extend the “dwell time”, or the period during which ransomware resides in a company network.
Unlike other ransomware, Cactus does not yet have a ‘leak site’. Ransomware groups often use such websites to threaten to publish sensitive data. Since Cactus has only been operating since March, it is possible that a leak site is still in the offing.
Ransomware developments are moving at a rapid pace, and organizations must be aware of security risks. Fortinet is working hard to close vulnerabilities in its VPN products, but many companies do not follow the most important security principles. To protect against ransomware, organizations should ensure they have the latest security patches, use multi-factor authentication, and regularly back up their data.
