This new ransomware manages to hide itself from antivirus thanks to an unstoppable method

Called Cactus, a new ransomware is currently rampant on the web. The peculiarity of this malware lies in its ability to hide from the most sophisticated antiviruses. In activity since last March, the malware has only just been discovered.

Malware Ransomware

Cactus: remember this name of ransomware, because you are likely to hear about it again in the coming months. Not that this malware is more dangerous than another. No, where it stands out from other ransomware is in its method of creation and deployment.

According to security experts at Kroll, who discovered Cactus, the malware “essentially encrypts itself, making it harder to detect and helping it evade antivirus and network monitoring tools.”

Read also: this ransomware is so bad that it becomes even more dangerous

Cactus encrypts itself to better conceal itself

The whole point of Cactus is therefore to quantify itself. How is it possible ? Initially, the authors of this malware use the free 7-Zip compression tool. A simple compression operation initially allows you to create a very legitimate file. But the original file is replaced by the malware, and the executable is distributed with a specific tag that allows it to run. Therefore, the malware is able to slip through the cracks of the antivirus net, since it looks like a simple compressed file. The malware then stores data in the C:\ProgramData\ntuser.dat folder, which will be read by the continued via command -r. And this is via another command, -i in this case, that the data, which has been encrypted beforehand, will then be decrypted.

Read also: Lockbit loses the crown of the most formidable ransomware, its successor is called Rorschach

Note that the ransomware exploits known vulnerabilities in Fortinet’s VPN applications. Once deployed on a network, Cactus searches for files and initiates a multi-threaded encryption operation. And like most malware, Cactus doesn’t just encrypt its victims’ data: the malware also steals it. The authors then use the Rclone tool, which allows them to transfer the data to the cloud.

As usual, the authors of the ransomware threaten their victims to disseminate the information collected in the public square. It is unknown at this time how much the ransom demand amounts to, but it could reach several million dollars according to Bleeping Computer.

Source : Bleeping Computer.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *