Cactus Ransomware Group: A Growing Cyber Threat to Global Industries

The Cactus ransomware group, a rapidly advancing cybercriminal operation, has escalated its attacks with an expanded campaign targeting major global players. In recent developments, the group has breached two high-profile victims: KYB Americas, a U.S.-based automotive parts manufacturer, and ASSA ABLOY, a Swedish security solutions giant. The attackers claim to have stolen vast amounts of sensitive data, threatening to leak it unless hefty ransoms are paid. These cyberattacks are not only growing in scale but also showcase a worrying trend of sophistication and organization, with ties to other ransomware syndicates such as Black Basta.

Cactus Ransomware: The Growing Menace

Cactus ransomware has been making waves due to its aggressive double extortion methods, which include both encrypting files and threatening to leak the stolen data unless a ransom is paid. The group’s recent attacks on KYB Americas and ASSA ABLOY highlight their expanding global footprint. The stolen data amounts to 1.8 TB from KYB and 229 GB from ASSA ABLOY, signaling the scale of their operations.

The

Once the attackers have access, they proceed with encryption. Cactus ransomware uses AES-256 encryption along with RSA-4096 keys, appending file extensions such as .cts1 or .cts7. To avoid detection, the group uses sophisticated techniques to disable antivirus software and encrypts its payload, making it harder to trace. After encryption, the attackers exfiltrate data using tools like Rclone, which helps in transferring large volumes of sensitive data before it is encrypted.

What Undercode Says: A Closer Look at Cactus Ransomware’s Tactics

Cactus ransomware shares many tactics with other prominent ransomware groups, including Black Basta, which is known for its multi-million dollar ransom demands. By linking up with Black Basta’s infrastructure, Cactus has significantly increased its operational capacity. The shared use of BackConnect malware enables both groups to maintain persistent access to compromised networks, facilitating the theft of credentials and lateral movement within the network. Social engineering tactics, such as flooding email inboxes and posing as IT support, are also commonly used to lure victims into granting remote access.

The overlapping tactics and tools between Cactus and Black Basta—such as their shared use of WinSCP for file transfer and OneDriveStandaloneUpdater.exe for deploying malicious payloads—suggest that these groups are well-coordinated. This makes the Cactus ransomware group a particularly dangerous adversary, as their methods are both versatile and effective across various attack vectors.

Interestingly, the rise of Cactus ransomware is directly tied to Black Basta’s success in extorting $107 million in 2023. As affiliates from Black Basta migrate to Cactus, there is an increasing sophistication in the attacks, with more advanced techniques being deployed. The ability of these ransomware groups to continuously adapt and evolve, leveraging each other’s infrastructure, indicates a dangerous trend of collaboration in the world of cybercrime.

From a defensive standpoint, organizations must prioritize patching vulnerabilities in VPN appliances, especially those in Fortinet and Ivanti products. Multi-factor authentication (MFA) should be enforced to limit the impact of credential theft. Monitoring and restricting the use of RMM tools, such as AnyDesk or Splashtop, is essential, as is blocking known malicious IPs used by the attackers for command and control (C2) activities.

The global reach of Cactus ransomware is growing, with over 100 targeted organizations since 2023, including well-known entities like Schneider Electric and the Los Angeles Housing Authority. As the group continues to adopt Black Basta’s infrastructure, its ability to cause widespread disruption only increases, posing a serious threat to industries around the world.

Fact Checker Results

Cactus and Black Basta’s Link: Trend Micro and Sophos have confirmed that Cactus shares tactics with Black Basta, including the use of similar malware and social engineering strategies.
Data Exfiltration Methods: Rclone is identified as a key tool used by Cactus for exfiltrating data before encryption, aligning with the group’s double extortion strategy.
Mitigation Strategies: Experts emphasize patching vulnerabilities and using MFA to defend against Cactus ransomware, reducing the effectiveness of its attacks.