Microsoft has issued an urgent warning about a new wave of CACTUS ransomware attacks that use malvertising techniques to spread DanaBot, a notorious banking trojan, as the initial access vector. This combination offers a serious risk to users since DanaBot can steal important information and allow CACTUS ransomware to encrypt their files and demand ransom payments for unlocking them.

Impact:

• CACTUS encrypts vital files on the victim’s computer, rendering them inaccessible. This includes documents, photos, videos, emails, and other essential data. The victim loses access to their critical information and may face significant business or personal disruptions.
• Attackers demand payment in exchange for the decryption key to access encrypted files. The ransom amount can be substantial, causing significant financial strain for victims. Even if the ransom is paid, there is no guarantee that the attackers will provide a working decryption key.
• Attackers demand a ransom payment in exchange for the decryption key needed to unlock the encrypted files. The ransom amount can vary depending on the severity of the attack and the value of the stolen data. Victims are often under pressure to pay the ransom quickly, as the attackers may threaten to delete the files permanently or release them publicly.

In this campaign, cybercriminals employ malvertising to trick users into clicking malicious links disguised as legitimate advertisements. Once clicked, these links redirect users to websites infected with DanaBot. This trojan steals a variety of sensitive information, including login credentials and financial data, and transmits it to the attackers. Moreover, DanaBot can act as a backdoor, allowing the attackers to gain remote access to the infected system and deploy further malware, including CACTUS ransomware.

CACTUS ransomware encrypts vital files on a victim’s computer, rendering them inaccessible. The attackers then demand a ransom payment in exchange for the decryption key. If victims refuse to pay, their data remains encrypted, potentially causing significant financial and emotional distress.

Indicators of Compromise (IOCs):

DanaBot:

• MD5: c8292126f7b32d3dedfa1afc396d4aa2
• SHA-256: 5abcd78602091e9cddfec8f1e4bdd336ae58273466eb0981c2f980c4d91b6cb2
• SHA-1: 6c5b9640188e27e1a4c213a6077d1b2b04dd1a9d

CACTUS:

• MD5: 5737cb3a9a6d22e957cf747986eeb1b3
• SHA-256: c52ad663ff29e146de6b7b20d834304202de7120e93a93de1de1cb1d56190bfd
• SHA-1: cb570234349507a204c558fc8c4ecf713e2c0ac3

Attack Vector: Malvertising

Ransomware: CACTUS

Initial Access Trojan: DanaBot

Affected Products: All Windows versions

Vulnerability Type: Social Engineering

CVEs:

• CVE-2023-41266
• CVE-2023-41265

As recently reported by Arctic Wolf, new CACTUS ransomware attacks are actively targeting significant vulnerabilities in the Qlik Sense (Qlik) data analysis technology to gain access to business networks.

The Turtle ransomware strain was also discovered recently, a macOS ransomware strain developed in the Go programming language and signed with adhoc signatures, which prevent execution via Gatekeeper.

Remediation Steps-

• Exercise caution when clicking on links. Be wary of unsolicited links, especially those received via email, text messages, or social media platforms. Even if the link appears to originate from a trusted source, verify its legitimacy before clicking.
• Update your software regularly. This includes operating system, web browser, antivirus software, and other essential applications. Regularly updating your software ensures the latest security patches and protection against known vulnerabilities.
• Use strong passwords and enable multi-factor authentication. Employ complex passwords for all online accounts and activate multi-factor authentication whenever possible. An extra layer of security makes it much more difficult for attackers to compromise accounts.
• Regularly backing up your crucial data to external hard drives or cloud storage ensures you have access to your files even if your system becomes infected.
• To detect and block malicious software like DanaBot and CACTUS ransomware, use a reliable antivirus program and keep it updated.