Cactus Ransomware Uses SSH Tunnels and icacls for Persistent Attacks

Analysis of an attack chain associated with the rising ransomware strain, Cactus ransomware, is reported by Trellix security researcher Aishwarya Gentyal. This ransomware strain has been responsible for targeting multiple commercial entities and high-profile victims since March 2023, compromising over 100 entities as of April 2024, based on statistics from Darkfeed. Insights from an incident involving Cactus identified that the ransomware exploits vulnerabilities such as CVE-2023-38035 in Ivanti MobileIron Sentry to gain initial access. During post-exploitation, attackers created SSH backdoors using an "install.bat" script to generate RSA SSH key pairs, adjusting file permissions with icacls to grant read access to all authenticated users on both the SSH configuration directory and the private key file. Two scheduled tasks were created, with the first ensuring the SSH daemon (sshd.exe) runs every minute for constant availability of the SSH service, and the second establishing an SSH tunnel.

Attackers utilized multiple non-native Windows tools to accomplish their intrusion, including SoftPerfect Network Scanner for reconnaissance, AnyDesk for remote access, Chisel for command and control (C2) communication, and Rclone for data exfiltration. Various batch and PowerShell scripts were deployed to aid in their tasks. Additionally, they disabled antivirus software, created a new admin account for persistent access, and modified the registry to automate logon, suppress legal notices, and run specific startup tasks. With persistence established and data exfiltrated, the ransomware payload was executed. This final payload checks process arguments and creates mutexes to ensure a single copy runs. It uses OpenSSL libraries for encryption, combining AES and RSA algorithms. During encryption, Cactus targets files in all drives and folders, renaming them with the .cts extension. The ransomware excludes specific file types from encryption and leaves a ransom note in every processed folder, demanding payment for data decryption.