CACTUS

Cactus is a ransomware family/group active worldwide since at least March 2023 and linked to double-extortion operations. Reporting in the provided content describes Cactus as an emerging ransomware operation that has targeted organizations globally, including Dutch victims identified through Project Melissa, and has been associated with campaigns against manufacturing and construction organizations as well as a 2023 intrusion at a critical infrastructure enterprise.

Initial access and intrusion activity attributed to or associated with Cactus includes exploitation of vulnerable internet-facing Qlik Sense servers, particularly outdated servers not running the latest version, and social-engineering-driven access chains involving spam flooding, Microsoft Teams impersonation, and abuse of Microsoft Quick Assist. Cisco Talos also documented a case where access was first obtained by the ToyMaker initial access broker, which exploited vulnerable public-facing systems, harvested credentials, and then handed access to Cactus.

Post-compromise behavior described for Cactus includes endpoint, server, and file enumeration; use of PowerShell remoting discovery; data archiving with 7z; exfiltration of victim data including suspected customer data; deployment of remote administration tools such as eHorus Agent, AnyDesk, RMS Remote Admin, and OpenSSH; creation of scheduled tasks for recurring OpenSSH reverse shells over port 443; creation of unauthorized accounts including "whiteninja"; modification of Winlogon registry keys; deletion of command history and Terminal Server Client artifacts; and removal of accounts such as the previously created "support" account to reduce indicators of compromise. Talos also observed Cactus using bcdedit and shutdown commands to reboot hosts into Safe Mode, likely to weaken security tooling, and using Metasploit shellcode-injected copies of PuTTY and ApacheBench plus ELF binaries communicating with 51.81.42.234 over ports 53, 443, 8343, and 9232.

The content states that Cactus commonly deletes shadow copies before encryption to inhibit recovery. Splunk analytics associated with Cactus specifically highlight WMIC and PowerShell-based shadow copy deletion as relevant detection opportunities. Talos further reported a previously undocumented Cactus ransomware variant with new command-line arguments that gave operators greater control over the binary.

Cactus has notable ecosystem ties to Black Basta. Trend Micro assessed Black Basta and Cactus activity as the work of the same attack group in some intrusions because they used the same BackConnect malware and similar social-engineering tradecraft involving Microsoft Teams and Quick Assist. Additional reporting in the provided content states that former Black Basta affiliates continued operations under other ransomware families including Cactus, and leaked Black Basta chats referenced Cactus-linked relationships. The content also notes reporting that a team referred to as "MG" was identified as Cactus ransomware.

Known high-confidence infrastructure and indicators mentioned in the content include exploitation of vulnerable Qlik Sense servers, the unauthorized local account names "support" and "whiteninja" observed in related intrusions, and network communications to 51.81.42.234 over ports 53, 443, 8343, and 9232 during Talos-observed activity. Project Melissa estimated roughly 5,200 internet-reachable Qlik Sense servers worldwide, more than 3,100 vulnerable, and 122 likely already exploited by Cactus at the time of that research.

The content also indicates that Cactus experienced operational decline or dormancy by 2025, with multiple reports listing the group among ransomware brands that had shut down, gone dormant, or fragmented.