Cybercriminals known as Twisted Spider (AKA Storm-0216) were observed using the services of Storm-1044, which infected target endpoints with an initial access trojan called DanaBot. Twisted Spider would then use this access to deploy the CACTUS ransomware.
In a Twitter threadAccording to Microsoft security researchers, Storm-0216 was known for leveraging QakBot's infrastructure for infections, but since law enforcement dismantled this operation last summer, the group was forced to switch to another platform.
“The current Danabot campaign, first spotted in November, appears to use a private version of the information-stealing malware rather than the malware-as-a-service offering,” the company explains. DanaBot offered hands-on keyboard activity to its partners, it added.
Encrypting itself
Once the Storm-1044 group has stolen the necessary credentials, they move laterally across the network and through the endpoints via RDP login attempts. Once the initial access was established, the group would hand it over to Twisted Spider, who would then infect the endpoints with the CACTUS ransomware.
It seems that CACTUS is quickly becoming the preferred choice for many ransomware operators. Last week, Arctic Wolf researchers warned that hackers were exploiting three vulnerabilities in the data analytics solution Qlik Sense to deploy this specific variant and steal sensitive corporate data.
In May, Kroll researchers discovered that the ransomware had a unique method of bypassing cybersecurity protections: “CACTUS essentially encrypts itself, making it harder to detect and help circumvent antivirus and network monitoring tools,” said Laurie Iacono, Associate Managing Director for Cyber Risk at Krol, told Beeping computer.
Cactus is a relative newcomer to the ransomware game and was first noticed in March of this year. It has the usual modus operandi of stealing sensitive data and encrypting systems, then later demanding payment in cryptocurrency in exchange for the decryption key and keeping the data private.