A new ransomware called Cactus is making the rounds. This ransomware has a special trick to draw the attention of your antivirus scanner: it also encrypts itself.

The first known attacks with the Cactus ransomware date back to March. The ransomware exploits vulnerabilities in VPN services, preferring Fortinet, to gain access to a network, after which the virus searches for files and databases to encrypt. Cactus sacrifices appear to be mostly large commercial corporations at the moment.

At the moment, this sounds like your run-of-the-mill ransomware, but Cactus has a few tricks that will have security experts rubbing their eyes in disbelief. The ransomware appears to be virtually invisible to antivirus scanners and other prevention tools. Cactus not only encrypts the victim’s data, but also its own files.

Blocked

The actor uses a batch script to create the 7-ZIP encryptor, which is then removed. With this encryptor, the ransomware file’s binary is locked away and becomes virtually impossible for the antivirus scanner to read its contents, allowing Cactus to easily defeat the first line of defense.

Next, Cactus needs to be able to unlock to deal damage. The attackers hide a unique AES key in the binary that only they know. This allows the malware to escape its cage and then spread through the victim’s network to encrypt their files. Cactus also uses a special technique: the malware changes the file extensions in order to repair them. For time-poor attackers, Cactus also offers a “quick mode” that adds an extra extension to a file to encrypt it twice.

It is not yet known how widespread the Cactus ransomware is, but it proves once again that cyber criminals are inventive and are constantly refining their methods. It therefore remains important to respect the basic rules of cyber security. Securing accounts with MFA and patching vulnerabilities as soon as possible are some habits every business should adopt.