Heloise Montini
Heloise Montini is a content writer whose background in journalism make her an asset when researching and writing tech content. Also, her personal aspirations in creative writing and PC gaming make her articles on data storage and data recovery accessible for a wide audience.
Laura Pompeu
With 10 years of experience in journalism, SEO & digital marketing, Laura Pompeu uses her skills and experience to manage (and sometimes write) content focused on technology and business strategies.
Bogdan Glushko
CEO at SalvageData Recovery, Bogdan Glushko has over 18 years of experience in high-security data recovery. Over the years, he's been able to help restore data after logical errors, physical failures, or even ransomware attacks, for individuals, businesses, and government agencies alike.
I think there's an issue with my storage device, but I'm not sure Start a free evaluation →
I need help getting my data back right now Call now (800) 972-3282
Cactus ransomware is a newly identified strain of ransomware that has been targeting large commercial organizations. It has gained attention for its ability to evade antivirus detection and exploit known vulnerabilities in VPN appliances for initial network access. It also utilizes various techniques to infect victims’ systems, including the use of tools like Chisel, Rclone, TotalExec, Scheduled Tasks, and more.
SalvageData experts recommend proactive data security measures, such as regular backups, strong cybersecurity practices, and keeping software up to date, to protect against ransomware attacks. And, in case of a ransomware attack, contact our ransomware recovery experts immediately.
What kind of malware is Cactus?
Cactus is a type of malware that has been identified as a strain of ransomware. It encrypts the victim’s data and demands a ransom for decryption.
The Cactus cybercriminal group behind the ransomware targets VPN appliances as a means of initial access and installs a backdoor for persistence. The malware has been characterized as difficult and tricky due to its abuse of remote management tools.
Once inside a network, it employs various techniques and tools to infect victims and encrypt their files. The ransomware adds the “.CTS1” extension to encrypted filenames and leaves a ransom note named “cAcTuS.readme.txt” with instructions on how to make the ransom payment.
Everything we know about Cactus Ransomware
Confirmed Name
- Cactus virus
Threat Type
- Ransomware
- Crypto Virus
- Files locker
- Double extortion
Encrypted Files Extension
It can have variations depending on the encryption method
- .CTS1
- .CTS6
Ransom Demanding Message
- cAcTuS.readme.txt
Is There a Free Decryptor Available?
No, there’s no public decryptor for Cactus ransomware.
Detection Names
- Avast Win64:Trojan-gen
- Emsisoft Generic.Ransom.Cactus.A.6A6CBCEA (B)
- Kaspersky Trojan-Ransom.Win32.Cactus.d
- Sophos Mal/Generic-S
- Microsoft Ransom:Win32/Cactus.LKV!MTB
Distribution methods
- Vulnerabilities in VPN appliances
- Infected email attachments
- Torrent websites
- Malicious ads
Consequences
- Files are encrypted and locked until the ransom payment
- Data leak
- Double extortion
What is in the Cactus ransom note
The Cactus ransom note, named “cAcTuS.readme.txt,” contains details on how the victim can negotiate with the attackers over TOX chat, an encrypted messaging platform. The note typically provides instructions and demands for the ransom payment in exchange for the decryption key to recover the encrypted files.
If you realize you’re a ransomware victim, contacting SalvageData ransomware removal experts provides you with a secure data recovery service and ransomware removal after an attack.
How does Cactus ransomware infect a system
Cactus ransomware is known to exploit vulnerabilities in VPN appliances as an initial access point to networks. By leveraging these vulnerabilities, Cactus gains entry into the target system. Once inside, it employs various techniques to infect the machine and encrypt files. The ransomware goes through the usual steps of spreading through the network, stealing data, and encrypting files along the way. It uses unique encryption techniques to avoid detection by antivirus software, making it particularly challenging to combat.
Vulnerabilities in VPN appliances
VPN (Virtual Private Network) appliances are used to establish secure connections between remote users and networks. However, vulnerabilities in these appliances can be exploited by threat actors to gain unauthorized access to systems.
These vulnerabilities could include software bugs, misconfigurations, or weak encryption protocols.
When attackers exploit these vulnerabilities, they can bypass security measures and gain entry into the network, potentially compromising sensitive data or launching further attacks.
Infected email attachments
Attackers typically send emails with malicious attachments, such as Word documents, PDFs, or ZIP files. These attachments may contain hidden macros or executable files that, when opened, install malware on the victim’s machine.
Social engineering techniques are often employed to trick users into opening attachments, such as disguising emails as invoices, job offers, or urgent messages.
Torrent websites
Torrent websites are used to share files through peer-to-peer networks. However, these sites can also be a breeding ground for malware distribution.
Cybercriminals may upload infected files disguised as popular movies, software, or games to lure users into downloading them. Once downloaded and executed, these files can install malware, including ransomware or trojans, on the victim’s system.
Malicious ads
Malicious advertisements, often referred to as malvertising, are online ads that contain malicious code.
These ads can appear on legitimate websites, including news sites or social media platforms. When users click on these ads or even visit web pages hosting them, the malicious code can exploit vulnerabilities in web browsers or plugins to deliver malware to the user’s device.
Malicious ads can lead to various types of infections, ranging from adware and spyware to ransomware and banking trojans.
How does Cactus ransomware work
Cactus ransomware employs various techniques to infect systems and encrypt files. Here is a breakdown of how Cactus ransomware works, from infection to encryption:
1. Initial Access
Cactus ransomware leverages known vulnerabilities in VPN (Virtual Private Network) appliances to gain unauthorized access to networks. Through these vulnerabilities, the ransomware finds its way into the target system.
2. Exploitation
Once inside the network, Cactus ransomware spreads laterally, moving from one device to another. It takes advantage of weaknesses in network security, weak passwords, or unpatched software to gain control over multiple machines.
3. Execution
Cactus employs tools like Chisel, Rclone, TotalExec, and Scheduled Tasks to carry out its malicious activities.
These tools help the ransomware establish persistence on infected systems and ensure that it can continue its operations even after a system reboot.
4. Data Theft
Before encrypting files, Cactus ransomware exfiltrates sensitive data from the compromised systems. This stolen data is used as leverage to further extort victims or sell them on underground forums.
5. Encryption
Cactus ransomware uses unique encryption techniques to encrypt the victim’s files. Experts did not discover by the time of this article’s publication the specific encryption algorithm and method employed by Cactus.
However, it is important to note that Cactus ransomware encrypts itself, making it harder to detect by antivirus and network monitoring tools. By encrypting its own code, Cactus ransomware enhances its ability to evade detection.
6. Ransom Note
After the encryption process is complete, Cactus ransomware leaves a ransom note behind, named “cAcTuS.readme.txt.” The note contains instructions on how victims can negotiate with the attackers to obtain the decryption key.
Do not pay the ransom! Contacting a ransomware removal service can not only restore your files but also remove any potential threat.
How to handle a Cactus ransomware attack
The first step to recovering from a Cactus attack is to isolate the infected computer by disconnecting from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3).
To report a ransomware attack you must gather every information you can about it, including:
- Screenshots of the ransom note
- Communications with threat actors (if you have them)
- A sample of an encrypted file
However, if you prefer to contact professionals, then do nothing. Leave every infected machine the way it is and ask for an emergency ransomware removal service. Restarting or shutting down the system may compromise the recovery service. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file, i.e. file executing the malicious payload, might be reverse-engineered and lead to decryption of the data or understanding how it operates.
You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.
1. Contact your Incident Response provider
A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively during a cyber incident.
An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. An incident response retainer’s specific nature and structure will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.
If you contact your IR service provider, they can take over immediately and guide you through every step in the ransomware recovery. However, if you decide to remove the ransomware yourself and recover the files with your IT team, then you can follow the next steps.
2. Identify the ransomware infection
You can identify which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), using a ransomware ID tool, or it will be on the ransom note. With this information, you can look for a public decryption key.
You can also check the ransomware type by its IOCs. Indicators of Compromise (IOCs) are digital clues that cybersecurity professionals use to identify system compromises and malicious activities within a network or IT environment. They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.
3. Remove the ransomware and eliminate exploit kits
Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.
4. Use a backup to restore the data
Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.
5. Contact a ransomware recovery service
If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup of it. If you don’t, ransomware data recovery services can help you decrypt and recover the files.
SalvageData experts can safely restore your files and prevent Cactus ransomware from attacking your network again. Contact our experts 24/7 for ransomware recovery services.
Prevent the Cactus ransomware attack
Preventing ransomware is the best solution for data security. is easier and cheaper than recovering from them. Cactus ransomware can cost your business’s future and even close its doors.
These are a few tips to ensure you can avoid ransomware attacks:
- Antivirus and anti-malware
- Use cybersecurity solutions
- Use strong passwords
- Updated software
- Updated operating system (OS)
- Firewalls
- Have a recovery plan in hand (See how to create a data recovery plan with our in-depth guide)
- Schedule regular backups
- Don’t open an email attachment from an unknown source
- Do not download files from suspicious websites
- Don’t click on ads unless you’re sure it’s safe
- Only access websites from trustworthy sources
