DecryptedTech DecryptedTech DecryptedTech DecryptedTech
Monday, 08 May 2023 12:54

New Cactus Ransomware Uses Encrypted 7-Zip to Get Around Detection

Written by
New Cactus Ransomware Uses Encrypted 7-Zip to Get Around Detection

Reading time is around minutes.

Ransomware is a pain in the ass, no matter what type it is. You have a piece of code that comes in, encrypts all your files, steals them and then you must deal with paying a ransom of some sort to either get your files back or prevent potential disclosure of sensitive information. It is not exactly what you want to deal with on a given day. So, when a new method of deploying ransomware pops up you can excuse our thinking “oh what fresh hell is this”.

This is where our heads areas we investigate Cactus. When some of the first ransomware binaries came out, they reached their targets as zip files attached to mass emails. The target would open the email and then open the zip file, which would auto execute the ransomware and chaos and fun would ensue for the security and IT operations teams. Since then, ransomware has evolved although it still is found as part of mass or targeted emails. With Cactus, it looks like the developers may have gone back to the bad old days and added a twist, they use 7-Zip encryption to mask the payload.

The initial access is also a tad different as the group appears to be targeting vulnerabilities in Fortinet VPN appliances to gain initial access as opposed to a spray and prat method via email. Once initial access is gained a batch script runs that passed the decryption key to the payload. The original “zip” gets deleted, and the binary executes. Cactus even has runtime flags, or options that are passed to the binary during execution. The main install flags are -s, -r and -i. The -s switch is what runs the setup, -r reads the configuration, while -i executes the encryption.

According to researchers at Kroll setting up cactus stores data in the ntuser.dat file which is also read back using the -r flag as part of their persistence mechanism. They also say that the -i command for encryption requires the use of an AES key to decrypt the binary and the public encryption key to begin its job of encrypting your file system. It is a clever way to do things and unless you have one of the more modern EDR/MDR solutions (and it is configured properly), this type of obfuscation is very likely to get around your protection.

It is also good to note that while Cactus currently appears to be targeting Fortinet VPN appliances, it could easily be adopted to the traditional email method. The scripted command line could be rolled into a trickbot style attack or even as part of a poisoned website without too much trouble. Windows and other Microsoft products have way too many openings in them if left at default making execution of this fairly simple. Careful planning, proper configuration of windows security controls, the right EDR/MDR and well thought out network monitoring is the best defense against the rapidly evolving ransomware and general threat landscape. Sadly, too many companies are cutting back on information security as it is only seen as an expense and not the investment that it is. We have a feeling that 2023 and 2024 are going to be a banner year for ransomware and other cybercrime organizations.

Read 1342 times
Published in News
Tagged under
Sean Kalinich

Latest from Sean Kalinich

Related items

More in this category: « Try2Check Dismantled by Authorities, $10M Reward Posted for its Creator PC Component Maker MSI has Private Code Signing Keys Leaked **Updated** »

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

back to top

Follow Us

  • Follow Us

    Follow DecryptedTech on Social Media

    facebook twitter linkedin