Also known as: Cactus virus
Category: Malware
Type: Ransomware, cryptovirus, filelocker
Variants: Win64:Trojan-gen, Generic.Ransom.Cactus.A.6A6CBCEA,Win64/Filecoder.Cactus.A, Trojan- Ransom. Win32. Cactus.d, Ransom: Win32/Cactus.LKV!MTB
Platform: Windows
Damage potential: Inaccessible files, data theft, ransom demands, network spread
Overview
Cactus is a ransomware that takes advantage of vulnerabilities in some VPN software to gain access to company networks. Once they break into a company’s system, cybercriminals behind Cactus create fake user accounts and launch the ransomware, locking files and demanding payment in exchange for a decryption key. Cactus was first detected in March 2023 and is notorious for evading antivirus detection by encrypting itself.
Possible symptoms
If you see a ransom note named "cAcTuS.readme.txt" and files with “CTS1” added to their original names, it means Cactus ransomware is on your network. You may also be unable to open some files on your computer.
Sources of the infection
Cactus often gets into systems by exploiting vulnerabilities in unpatched VPN software. The rest of the known sources of infection are similar to most other ransomware:
- Malicious links and attachments in phishing emails
- Drive-by downloads (downloads without the visitor’s consent and knowledge) from infected websites
- Malware-ridden ads
- Pirated software
- P2P (peer to peer) sharing of infected files
Protection
- Be skeptical of links and attachments: Avoid clicking on suspicious links or attachments.
- Keep your software updated. Cactus is known to use vulnerabilities in VPN software. Software updates often include fixes for vulnerabilities discovered since the last version, so you can protect your devices by regularly updating your operating system and other software you use.
- Switch on NordVPN’s Threat Protection Pro: NordVPN’s advanced security features block malware-ridden websites and scan downloaded files for malware.
- Use reputable antivirus software: A reliable antivirus helps protect your systems from threats like Cactus.
- Do not save passwords on browsers: With Cactus ransomware, hackers could steal passwords saved on browsers. Consider using a reliable password manager instead.
- Enable multi-factor authentication (MFA): Multi-factor authentication prevents cybercriminals from using your accounts, even if they have your credentials.
- Back up data: Regularly back up your data to a secure location, isolated from the network.
Removal
Ransomwares like Cactus typically infect a computer and spread throughout the system. So, you should isolate the infected computer from other devices on your network.
- Log out of all cloud storage accounts.
- Disable network connection to the infected computer.
- Remove all external storage (e.g. USB drives, portable hard drives, etc.).
- Use a trustworthy anti malware solution to remove the ransomware.