This threat analysis white paper provides a technical deep dive into Cactus ransomware, first discovered in March 2023, detailing how it establishes persistence, manages keys, enumerates files, and encrypts data. The malware creates a mutex to prevent multiple instances, hides itself, copies into ProgramData, and sets a scheduled task for persistence. It decrypts an embedded RSA public key using an AES key parsed from a local ntuser.dat file, then encrypts victim files with AES256 (CBC) and encrypts the AES key with RSA, appending metadata and changing extensions to cts0 or cts1. It includes options to control encryption scope, logging, thread count, and partial encryption for large files, and lists key IOCs such as hash, ransom note name, mutex, created files, and scheduled task.

Join for free to read