This is where our heads areas we investigate Cactus. When some of the first ransomware binaries came out, they reached their targets as zip files attached to mass emails. The target would open the email and then open the zip file, which would auto execute the ransomware and chaos and fun would ensue for the security and IT operations teams. Since then, ransomware has evolved although it still is found as part of mass or targeted emails. With Cactus, it looks like the developers may have gone back to the bad old days and added a twist, they use 7-Zip encryption to mask the payload.
The initial access is also a tad different as the group appears to be targeting vulnerabilities in Fortinet VPN appliances to gain initial access as opposed to a spray and prat method via email. Once initial access is gained a batch script runs that passed the decryption key to the payload. The original “zip” gets deleted, and the binary executes. Cactus even has runtime flags, or options that are passed to the binary during execution. The main install flags are -s, -r and -i. The -s switch is what runs the setup, -r reads the configuration, while -i executes the encryption.
According to researchers at Kroll setting up cactus stores data in the ntuser.dat file which is also read back using the -r flag as part of their persistence mechanism. They also say that the -i command for encryption requires the use of an AES key to decrypt the binary and the public encryption key to begin its job of encrypting your file system. It is a clever way to do things and unless you have one of the more modern EDR/MDR solutions (and it is configured properly), this type of obfuscation is very likely to get around your protection.
It is also good to note that while Cactus currently appears to be targeting Fortinet VPN appliances, it could easily be adopted to the traditional email method. The scripted command line could be rolled into a trickbot style attack or even as part of a poisoned website without too much trouble. Windows and other Microsoft products have way too many openings in them if left at default making execution of this fairly simple. Careful planning, proper configuration of windows security controls, the right EDR/MDR and well thought out network monitoring is the best defense against the rapidly evolving ransomware and general threat landscape. Sadly, too many companies are cutting back on information security as it is only seen as an expense and not the investment that it is. We have a feeling that 2023 and 2024 are going to be a banner year for ransomware and other cybercrime organizations.