Cactus Ransomware Detection: Attackers Launch Targeted Attacks to Spread Ransomware Strains

Heads up! Recent Cactus ransomware attacks are getting into the spotlight. Hackers exploit critical Qlik Sense vulnerabilities to further deliver Cactus ransomware. In other ransomware campaigns, they leverage malvertising lures to spread DanaBot malware for initial access to compromised systems. 

Detecting Cactus Ransomware Infections

Ransomware operators are constantly seeking new ways to proceed with payload deployment, increase the number of victims, and receive bigger financial benefits. To stay ahead of adversaries, cybersecurity professionals require a reliable source of detection content to identify possible intrusions at the earliest stages of development and defend proactively.

To assist cyber defenders in Cactus ransomware attack detection, SOC Prime Platform for collective cyber defense aggregates a set of curated detection content. 

Possible Cactus Ransomware Campaign by Using msiexec to Uninstall Sophos through GUID (via process_creation)

This rule by our keen Threat Bounty developer Nattatorn Chuensangarun detects suspicious Cactus Ransomware campaign activity by using the msiexec command to uninstall Sophos through GUID. The detection is compatible with 24 SIEM, EDR, XDR, and Data Lake solutions and mapped to MITRE ATT&CK framework addressing Defense Evasion tactics and System Binary Proxy Execution (T1218) as the main technique.

Qlink Scheduler Spawning Suspicious Process (via process_creation)

This detection rule by the SOC Prime Team identifies suspicious Qlink scheduler process spawning, which may indicate successful vulnerability exploitation. The rule is accompanied by translation into 24 native SIEM, EDR, XDR, and Data Lake formats and mapped to MITRE ATT&CK addressing Initial Access tactics, with Exploit Public-Facing Application (T1190) as a main technique.

To dive deeper into the rule stack aimed at Cactus ransomware attack detection, hit Explore Detections below. All the algorithms are enriched with extensive metadata, including ATT&CK references, CTI links, attack timelines, triage recommendations, and other relevant details for streamlined threat investigation.

Explore Detections

Additionally, security professionals might explore a set of detection rules aimed at DanaBot detection to boost threat hunting activities related to the ongoing Cactus ransomware operation leveraging malvertising to drop DanaBot and achieve initial access to the system of interest.

Cactus Ransomware Analysis: Latest Attacks Using Qlik Sense Flaws & DanaBot As Entry Points

Arctic Wolf Labs Team has recently detected a new Cactus ransomware campaign targeting publicly accessible installations of the Qlik Sense platform. Ransomware operators exploit three critical Qlik Sense vulnerabilities they use as an initial access vector to spread the infection further. Two security bugs in Qlik Sense Enterprise for Windows tracked as CVE-2023-41266 and CVE-2023-41265 can be chained to perform a targeted attack. The successful exploit chain enables malicious actors to compromise the server hosting the Qlik Sense software, including the possibility of unauthorized RCE. To remediate the threat, Qlik Community has issued a security advisory with the vulnerability details and mitigation recommendations.

After the patch release for the above-mentioned security flaws, Qlik stated that the fix for CVE-2023-41265 was not enough leading to the disclosure of another critical vulnerability identified as CVE-2023-48365. The flaw occurs due to inadequate validation of HTTP headers allowing remote attackers to escalate their privileges by tunneling HTTP requests and further executing them on the backend server that hosts the repository application. Qlik Community has published a separate security advisory covering the issue. Qlik Sense customers are strongly recommended to immediately upgrade potentially compromised devices to a patched software version. 

In these Cactus ransomware attacks, hackers weaponize the above-referenced security holes to execute code, triggering the initiation of new processes by the Qlik Sense Scheduler service. Attackers apply PowerShell and the Background Intelligent Transfer Service (BITS) to download a specific toolkit for gaining persistence and remote access. Adversaries also resort to uninstalling Sophos software, altering the admin account credentials and establishing an RDP tunnel through Plink.

Hard on the heels of attacks abusing Qlik Sense flaws, Microsoft has detected DanaBot infections leading to hands-on-keyboard activity by ransomware operators known as Storm-0216 aka UNC2198, followed by the deployment of Cactus ransomware. In this ongoing offensive operation, DanaBot malware is distributed via malvertising lures.

DanaBot, also tracked as Storm-1044, is similar to Emotet, TrickBot, QakBot, and IcedID capable of acting as both an infostealer and a potential entry point for subsequent malicious strains. 

The ongoing DanaBot campaign, which has been in the limelight since November 2023, seems to employ a customized version of the information-stealing malware rather than leveraging the malware-as-a-service model. The stolen credentials are sent to a remote server, leading to lateral movement through RDP sign-in attempts and further providing access to ransomware operators. 

The current surge in Cactus ransomware attacks fuels the need for enhancing cyber defense capabilities while empowering enterprises to boost their cybersecurity posture and prevent network breaches. By gaining access to the Threat Detection Marketplace, progressive organizations can explore the latest detection algorithms for ransomware attacks of any scale and sophistication, as well as explore relevant TTPs for faster attack attribution.