Cactus ransomware first appeared in early 2023 and quickly made a name for itself as a serious threat in the cybersecurity world. This group is particularly dangerous because it uses a double extortion technique encrypting a victim’s data and then threatening to publish it on the dark web if the ransom isn’t paid. While there’s still some uncertainty around where Cactus came from, researchers think it might be tied to a Malaysian hacktivist group with the same name.
The Cactus ransomware group has emerged as a highly sophisticated threat actor, utilizing an advanced multi-stage attack chain that combines social engineering, lateral movement, and custom backconnect C2 implants. Cactus ransomware maintains a leak site on the dark web where they threaten to publish stolen data if the ransom is not paid.
Fig 1: Screenshot of the leak site of Cactus Ransomware
Their evolving tactics, observed through recent detections by Red Piranha’s incident response teams, reveal a shift toward stealthier and more persistent techniques. Even though encryption was prevented in a recent case, the attackers demonstrated a complete kill chain approach, indicating their readiness for network traversal, privilege escalation, and full ransomware deployment.
What is the Kill Chain of Cactus Ransomware?
The Cactus ransomware has a different ransom note for every victim. One of the Cactus ransom note is given below:
Fig 2: Screenshot of the Ransom Note of Cactus Ransomware
The Cactus ransomware kill chain progresses through a multi-phase structure: initial access via phishing, Microsoft Teams impersonation, or Quick Assist remote sessions lures victims into executing malicious .bpx files disguised as OneDrive content.
After execution, attackers establish persistence by modifying the HKCU\SOFTWARE\TitanPlus registry key to store BackConnect C2 IPs and escalate privileges via DLL sideloading, deploying malicious libraries in trusted OneDrive directories to hijack OneDriveStandaloneUpdater.exe.
Defense evasion tactics include masquerading malicious files as OneDrive components and disabling security tools on ESXi hypervisors. With elevated access, they move laterally using WinRM/SMB, deploy encrypted BackConnect C2 channels, and exfiltrate data via WinSCP to domains like pumpkinrab.com.
The attack culminates in data encryption, though a recent incident saw encryption blocked; undeterred, the group delivered a ransom note via email under the "Cactus Group" moniker, showcasing their end-to-end capability to monetize intrusions despite disruptions.
What are the Tactics, Techniques, and Procedures (TTPs) of Cactus Ransomware?
Fig 3 : Screenshot of the TTPs of Cactus Ransomware
Cactus ransomware follows a well-defined set of Tactics, Techniques, and Procedures (TTPs), demonstrating a high level of sophistication.
Initial Access
For initial access, the group employs phishing (T1566.003) and social engineering tactics, including email bombing and Microsoft Teams impersonation, to trick users into granting remote access. In some cases, they exploit trusted relationship abuse (T1199) by leveraging legitimate collaboration tools to increase the success rate of their attacks.
Execution
During the execution phase (TA0002), Cactus relies on malicious file execution (T1204.002), where victims unknowingly download .bpx archive files containing harmful payloads. These files are manipulated using command-line scripts (T1059.003) to extract and execute the malware. To maintain persistence (TA0003), they modify registry keys (T1547.001) by adding TitanPlus, ensuring that the malware remains active even after system reboots.
Privilege Escalation
The Cactus ransomware escalates privileges (TA0004) via DLL sideloading (T1574.001), executing malicious libraries like wscapi.dll and libssl-3-x64.dll through OneDriveStandaloneUpdater.exe to bypass security controls, while evading detection (TA0005) by masquerading payloads (T1036.005) as legitimate OneDrive files and disabling ESXi server firewalls (T1562.004) to run unauthorized binaries.
During lateral movement (TA0008), the group leverages SMB (T1021.002) and WinRM (T1021.006) to traverse networks and remotely execute commands, then maintains encrypted C2 (TA0011) communication via custom BackConnect implants (T1071.001, T1571) and uses WinSCP (T1105) to exfiltrate data to external infrastructure (e.g., pumpkinrab.com), ensuring persistent control and data theft.
Impact and Ransomware Deployment
The final impact phase (TA0040) revolves around data encryption (T1486), where ransomware is deployed to encrypt files and render them inaccessible. While encryption was thwarted in a recent case, the attackers still delivered ransom notes via email, proving their capability and intent to execute full ransomware operations. The sophistication of Cactus ransomware's TTPs highlights their ability to evade defenses and persist within environments for extended periods before launching disruptive attacks.
What are the Indicators of Compromise (IOCs) of Cactus Ransomware?
Cactus ransomware relies on multiple Indicators of Compromise (IOCs) for detection and mitigation. It uses malicious downloads such as kb153056-01.bpx and kb153064-02.bpx, which extract payloads masquerading as legitimate OneDrive files (OneDriveStandaloneUpdater.exe, wscapi.dll, libssl-3-x64.dll, vcruntime140.dll, and libcrypto-3-x64.dll).
These files are placed in C:\Users\<user>\AppData\Local\Microsoft\OneDrive\, making them hard to detect. The malware also establishes persistence through registry modifications, specifically adding HKCU\SOFTWARE\TitanPlus to store BackConnect C2 IP addresses. Monitoring this registry path can serve as an early warning. Cactus maintains command-and-control (C2) communication via known malicious IPs, including
- 45.8.157.199
- 5.181.3.164
- 38.180.25.3
- 185.190.251.16
- 207.90.238.52
- 89.185.80.86
Fig 4: Screenshot of the Domain used for Data Exfiltration
all of which should be blocked. The domain pumpkinrab.com (208.115.200.146) is also used for C2 and data exfiltration, requiring monitoring and restriction.
Beyond traditional C2 infrastructure, Cactus operators use dark web channels for communication and ransom negotiations.
They employ TOX chat (7367B422CD7498D5F2AAF33F58F67A332F8520CF0279A5FBB4611E0121AE421AE1D49ACEABB2) and TOR-based sites like sonarmsng5vzwqezlvtu2iiwwdn3dxkhotftikhowpfjuzg7p3ca5eid.onion/contact/Cactus_Support and file servers such as vhfd5qagh6j7qbisjqvly7eejqbv6z5bv77v6yuhctn77wmd3hjkyvad.onion. These dark web communication channels indicate ongoing ransomware operations, and blocking TOR traffic at the network level can help mitigate unauthorized access and ransom interactions.
How does Red Piranha Detect and Prevent attacks of Cactus Ransomware?
Red Piranha’s Threat Detection, Investigation, and Response (TDIR) solution, particularly the Crystal Eye solution, is uniquely equipped to detect and prevent Cactus ransomware’s Tactics, Techniques, and Procedures (TTPs) through a combination of advanced monitoring, integrated threat intelligence, and proactive defence strategies. Below is an analysis of how Crystal Eye’s capabilities can detect and prevent Cactus ransomware’s attack stages and techniques:
Red Piranha leverages its advanced threat detection and response capabilities to identify, mitigate, and prevent Cactus ransomware attacks across all phases of the kill chain. Since Cactus ransomware begins with phishing and social engineering techniques, Red Piranha provides instant, 10x increased visibility across the entire network to detect anomalous email patterns, mass phishing attempts, and social engineering tactics, including Microsoft Teams impersonation.
The platform’s integrated Cyber Threat Intelligence (CTI) continuously monitors emerging phishing domains and C2 infrastructure, allowing organizations to block threats before they compromise endpoints. Additionally, Red Piranha’s inline deployment ensures seamless protection without infrastructure changes, reducing engineering overhead while improving detection efficiency.
Once attackers attempt execution by tricking users into downloading and running malicious .bpx files, Red Piranha detects these threats through 24/7 security monitoring and behavioral analytics. The platform’s proactive threat hunting capability analyzes file activity and command-line execution patterns to flag suspicious behavior associated with .bpx payload execution.
If an attacker establishes persistence through registry modifications, such as creating HKCU\SOFTWARE\TitanPlus, Red Piranha’s automated endpoint monitoring detects these unauthorized changes in real time. Privilege escalation through DLL sideloading is mitigated by integrated vulnerability management, which prevents the execution of unsigned DLLs in OneDrive directories.
To counter lateral movement via SMB and WinRM, Red Piranha enforces east-west traffic control and network segmentation, making it difficult for Cactus ransomware to spread across the infrastructure. Encrypted metadata analysis helps detect unauthorized remote execution and privilege abuse. Crystal Eye’s multi-layered defence approach combines Network Detection and Response (NDR), machine learning-driven anomaly detection, and Zero Trust architecture to counter Cactus ransomware’s tactics effectively.
Red Piranha’s integrated PCAP analysis further reduces attacker dwell time by capturing network packets, allowing analysts to trace WinRM-based lateral movement attempts before significant damage occurs. When the ransomware enters the command-and-control (C2) phase, Red Piranha immediately blocks communication with BackConnect implants and known malicious domains like pumpkinrab.com.
The platform’s automated threat intelligence feeds continuously update malicious IP and domain lists, ensuring that identified Cactus C2 IPs, including 45.8.157.199 and 5.181.3.164, are proactively blocked at the firewall level. Deep packet inspection (DPI) and encrypted traffic analysis also help detect WinSCP exfiltration attempts, preventing data theft.
During the impact phase, if Cactus ransomware attempts file encryption (T1486), Red Piranha’s SOAR (Security Orchestration, Automation, and Response) capabilities deploy real-time containment measures, such as automated isolation of infected systems and immediate escalation to its Security Operations Center (SOC).
Additionally, 18+ months of data retention facilitates forensic investigations, allowing teams to trace initial infection vectors and attacker movement within the network. Red Piranha’s on-demand human-machine teaming speeds up incident response, ensuring that organizations can mitigate ransomware deployment before files are encrypted.
By combining threat intelligence, automated response, proactive monitoring, and digital forensics, Red Piranha effectively prevents Cactus ransomware attacks and minimizes the risk of operational disruption.
Does detecting malicious activity pose a significant challenge for your organisation?
Crystal Eye, best-in-class Threat Detection, Investigation and Response (TDIR), allows you to catch what the other products in its class missed by detecting all known malware and C2 callouts.
Improve your organisation's security posture and minimise risk to your organisation with our Network Detection and Response program alongside the Managed Detection and Response (MDR) service.