The DSA wants to bring to your attention, the Cactus ransomware group recently launched a coordinated attack against several organizations across various industries.

Details
The Cactus ransomware group has been active since March 2023 and uses a doubleextortion model, which involves stealing sensitive data and threatening to release it if the ransom is not paid. On January 20th, 2024, the Cactus ransomware group launched a coordinated attack against several organizations across various industries. This ransomware has been observed to exploit known vulnerabilities in applications like Fortinet, Qlik Sense to get initial access to the system.

The most peculiar behaviour of this ransomware is its evasion techniques including encrypting itself to avoid anti-malware detection and utilizing multiple batch scripts for various actions alongside acquiring the ransomware binary. The encrypted files have the .cts extension and the ransom note is named cAcTuS.readme.txt.

Indicator Of Compromise:

• 9ec6d3bc07743d96b723174379620dd56c167c58a1e04dbfb7a392319647441a
• c49b4faa6ac7b5c207410ed1e86d0f21c00f47a78c531a0a736266c436cc1c0a
• 78C16DE9FC07F1D0375A093903F86583A4E32037A7DA8AA2F90ECB15C4862C17
• b9ef2e948a9b49a6930fc190b22cbdb3571579d37a4de56564e41a2ef736767b
• 5b70972c72bf8af098350f8a53ec830ddbd5c2c7809c71649c93f32a8a3f1371
• 248795453ceb95e39db633285651f7204813ea3a
• 6715b888a280d54de9a8482e40444087fd4d5fe8
• 123.142[.]213
• 86.182[.]8
• 216.147[.]64
• 216.147[.]76

Recommendations:

Digital Security Authority recommends:
• Block the attached IOCs on network and use the latest Threat Intelligence data to
stay aware of actual TTPs and IOCs used by threat actors.
• Ensure that systems are up-to-date with the latest security patches.
• Use strong passwords and multi-factor authentication.
• Regularly back up their data to a secure location.

The information presented in this report is based on available data up to the 25th of January 2024.