THREAT ACTOR

Cactus

7
THREAT LEVEL
EMERGENCE DATE
Mar 2023
CATEGORY
Independent Ransomware Operation
AFFILIATIONS

Operated as closed group without RaaS model. Maintained connections to Storm-0216/Twisted Spider/UNC2198. Shared BackConnect malware with BlackBasta. Partnered with ToyMaker IAB.

DEscription

Cactus emerged as a ransomware operation in March 2023, showing off technical capabilities and strategic development from inception. Operating as a closed ransomware platform rather than a public Ransomware-as-a-Service model, the group maintained over 140 confirmed victims while focusing on large commercial entities with revenues exceeding $100 million. Distinguished by its self-encrypting binary capability and distinctive cAcTuS.readme.txt ransom notes, progression from initial VPN exploitation tactics to multi-vector campaigns incorporated BackConnect malware.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Independent Ransomware Operation

Operating as an Independent Ransomware Operation, Cactus maintained full control over attack lifecycle, victim negotiations, and ransom proceeds without public RaaS infrastructure. The group's self-encrypting binary required specific AES keys for execution, bringing out technical capability through multi-threaded AES-256 CBC + RSA-4096 encryption.

Strategic partnerships included initial access broker ToyMaker and shared BackConnect malware infrastructure with BlackBasta. This closed operational model enabled precise targeting of organizations with revenues exceeding $100 million, avoiding the vulnerabilities of affiliate networks while maintaining capabilities across Windows, Linux, and VMware ESXi environments.

Current Status: Significantly diminished as of Q2 2025. Halcyon's Q4-2024 Power Rankings classified Cactus in the "Diminishing" category, indicating decreased attack volumes. Multiple security intelligence sources report Cactus among groups that have either exited the ransomware ecosystem or substantially reduced operations

Threat Level:
7

Origins and Methodology

Cactus distinguished itself through technical capabilities from inception, emerging as a closed operation with potential connections to Malaysian hacktivist groups. The ransomware derived its name from the distinctive filename cAcTuS.readme.txt used in ransom notes, with encrypted files receiving sequential extensions .cts0, .cts1, .cts2.

Positioning uniquely in the ransomware ecosystem through precision and consistency pointed to experienced operators with veteran capabilities. Distinctive self-encrypting binary functionality required a specific AES key for execution, evading traditional detection methods.

What is the Evolution of Cactus Ransomware?
0.1
Formation

First emerged in March 2023 as a ransomware operation with technical implementation from inception. Initially relied on VPN vulnerability exploitation, particularly Fortinet appliances, establishing unique self-encrypting binary mechanisms.

0.2
EVOLUTION

Most significant developments occurred through expansion to Qlik Sense vulnerability exploitation alongside partnership with initial access broker ToyMaker. By October 2024, integration of BackConnect malware shared with BlackBasta provided persistent remote access functions.

0.3
Lineage/Connections

Technical analysis revealed operation under multiple threat actor designations, identified as a Russian-speaking threat group putting forward remarkable resilience by rapidly pivoting from QakBot-based operations to DanaBot malware following law enforcement disruption.

Which Unique Techniques Does Cactus Use?

TECHNIQUE

DETAILS

Infection Vectors

Exploits Fortinet VPN vulnerabilities and Qlik Sense weaknesses. Also compromises RDP services and uses valid accounts purchased from Initial Access Brokers.

Target Selection

Focuses on organizations with $100M+ in annual revenue and over 500 employees, especially in manufacturing, healthcare, and financial services. Geographically targets North America and Europe.

Operational Complexity

Employs multi-threaded AES256 CBC + RSA4096 encryption, Living-off-the-Land techniques, and remote access tools like AnyDesk, Splashtop, and SuperOps RMM. Also deploys self-encrypting binaries requiring AES keys.

Key Features & Technical Details

FEATURE

DETAILS

Encryption Methods

AES256 CBC algorithm with RSA4096 protection. Hard-coded IV OLi3bTN6ekZCY7jd. Partial encryption for files ≥ 7.7MB

Double Extortion

Combines encryption with threats of public data exposure

Self-Protection

Self-encrypting binary requires AES key stored in C:\ProgramData\ntuser.dat

Cross-Platform

Primarily targets Windows systems, but also affects Linux and VMware ESXi

Monetization

Estimated revenue ranges from $5–15 million (conservative) to $15–35 million (moderate). Prefers Bitcoin payments

Communication

Uses TOX messaging for negotiations. Ransom note titled cAcTuS.readme.txt

Behavioral Patterns

Uses PowerTool32.exe / PowerTool64.exe to disable security tools, deletes shadow volumes, and performs multi-threaded encryption

Activities

Maintaining consistent activity since March 2023, continuous evolution in tactics and technical capabilities characterized the group. Rapid adaptation to infrastructure disruptions, including successful pivot from QakBot to DanaBot following law enforcement actions, brought out resilience and experienced threat actor capabilities.

Which Industries Are Most Vulnerable to Cactus?

Manufacturing sector faced highest risk, with analysts reporting it accounted for more than two-thirds of industrial ransomware incidents due to just-in-time production vulnerabilities. Healthcare organizations experienced targeting for patient safety leverage and regulatory compliance pressure. Financial services attracted attention due to regulatory oversight requirements. Critical infrastructure including energy sector organizations faced risk to operational technology and industrial control systems.

HAL Most Recent Attacks

Modus Operandi

Operational methods through comprehensive MITRE ATT&CK framework coverage, employing evasion techniques and strategic tool deployment. Methodical approach encompassed vulnerability exploitation, living-off-the-land techniques, and encryption mechanisms designed to maximize success while evading detection.

Details

T1190 - Exploit Public-Facing Application via Fortinet VPN and Qlik Sense. T1133 - External Remote Services. T1078 - Valid Accounts from IABs

Details
Details
Details

T1027 - Self-encrypting binary using AES-256. T1574.001 - DLL Side-Loading via OneDriveStandaloneUpdater.exe. T1562.001 - PowerTool to disable security

Details
Details

T1219 - Remote Access Software. T1071 - TOR-based communication

Details

T1021 - Remote Services. Living-off-the-Land with Event Viewer, PowerShell, Chisel, Rclone

Details

T1041 - Exfiltration Over C2 Channel for double extortion preparation

Details

T1053.005 - Scheduled Task Updates Check Task. T1547 - Boot or Logon Autostart Execution via registry modifications

Details

T1486 - Data Encrypted using hybrid AES-256/RSA-4096. T1490 - Inhibit System Recovery via shadow volume deletion

Details
Details
Details

Indicators of Compromise (IOCs)

INDICATOR

DETAILS

File Extensions

.cts0, .cts1, .cts2

Ransom Notes

cAcTuS.readme.txt

File Hashes

b4kr-xr7h-qcps-omu3cAcTuS (Mutex)

Infrastructure

45.8.157.199, 5.181.3.164, 38.180.25.3, 185.190.251.16, 207.90.238.52, 89.185.80.86

File Paths

C:\ProgramData\ntuser.dat (AES key storage), C:\ProgramData\cAcTuS.readme.txt (ransom note location), Registry modifications for persistence

Exploits and Vulnerabilities

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

Fortinet FortiOS

CVE-2023-38035

9.8

Heap-based buffer overflow in VPN SSL daemon

Qlik Sense

CVE-2023-41266

9.1

Path traversal vulnerability allowing remote code execution

Qlik Sense

CVE-2023-41265

9.9

HTTP tunneling vulnerability in repository service

Qlik Sense

CVE-2023-48365

9.9

Path traversal vulnerability in static content serving