Novel Cactus Ransomware Abuses VPNs for Persistence


May 9, 2023

World map

A new ransomware operation has been observed targeting enterprise networks over the last two months delivering a ransomware payload dubbed Cactus by exploiting common vulnerabilities found in VPNs to gain persistence on the network.

“In all the cases investigated by Kroll, the attackers gain their initial foothold on a VPN appliance using a service account and they then deployed a SSH backdoor that connected back to their command-and-control (C2) server and was executed via a scheduled task,” CSO Online reports.

“This activity was immediately followed by network reconnaissance using a commercial Windows network scanner made by an Australian company called SoftPerfect. Additional PowerShell commands and scripts were used to enumerate computers on the network and extract user accounts from the Windows Security event log."

Takeaway: Abusing Virtual Private Networks (VPN) and Remote Desktop Protocol (RDP) are two of the most common tactics used by ransomware operators to gain persistence and move laterally and in a compromised network.  

RDP exploits are also used to remotely execute malicious code like malware and attack kits, or by executing scripts in fileless attacks, or when abusing legitimate network tools in what is known as living-off-the-land. Access to RDP and VPN instances is usually accomplished by way of stolen or brute-forced user credentials.

As well, exploitation of unpatched vulnerabilities is on the rise with ransomware gangs. Patching systems can be a complex process for some organizations. In order to avoid breaking critical business systems, patches often need to be applied in dev environments and tested prior to being put into production.  

Even then, some issues prevent patching due to legacy systems/software or internal (home-brewed) scripts/applications that will break if the patch is applied haphazardly. Thus, there can be months or more of work to do before some vulnerabilities can be mitigated, leaving the organization exposed.

The marked increase in the exploitation of vulnerabilities by ransomware gangs is further evidence that criminal actors continue to employ increasingly complex techniques that we used to only see in state-supported operations.  

Ransomware attacks used to be clumsier and more random, basically a numbers game where massive email spam campaigns or drive-by watering hole attacks designed to infect as many individual devices as possible while asking for ransoms of a fraction of a bitcoin - but those days have largely passed.

But the fact that these attackers are leveraging exploits for well-documented vulnerabilities means we have the opportunity to detect and stop these ransomware operations earlier in the attack sequence. Many of the TTPs they employ are common and should help to reveal the weeks or more of detectable activity on the network that occurs before the actual ransomware payload is delivered.

The ransomware payload is the very tail-end of a longer attack, so a multi-layer defense strategy that is designed to detect more than just the detonation of a ransomware binary is critical to detecting earlier and remediating against these attacks faster. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.