Microsoft warns of Cactus ransomware actors using malvertising to infect victims

Hackers are using malware distributed through online advertisements to infect victims with Cactus ransomware, according to new research.

In a warning published on Friday, researchers at Microsoft said that the ransomware actor behind the campaign — which Microsoft calls Storm-0216 but others refer to as Twisted Spider and UNC2198 — had “received handoffs from Qakbot operators” before that group’s infrastructure was taken down in August by law enforcement. As a result, Storm-0216 has pivoted to using Danabot malware for initial access to victims.

“The current Danabot campaign, first observed in November, appears to be using a private version of the info-stealing malware instead of the malware-as-a-service offering,” Microsoft said.

Microsoft has detected Danabot (Storm-1044) infections leading to hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of Cactus ransomware. In this campaign, Danabot is distributed via malvertising.

— Microsoft Threat Intelligence (@MsftSecIntel) December 1, 2023

“Danabot collects user credentials and other info that it sends to command and control, followed by lateral movement via Remote Desktop Protocol (RDP) sign-in attempts, eventually leading to a handoff to Storm-0216.”

U.S. Attorney Martin Estrada said in August that Qakbot “was the botnet of choice for some of the most infamous ransomware gangs” and was a “key enabler within the cyber crime ecosystem, facilitating ransomware attacks and other serious threats.”

Ransomware expert Allan Liska said Cactus is a relatively new ransomware that is less than a year old but appears to be run by skilled, experienced hackers.

“The ransomware has built-in anti-virus detection techniques and the group appears to be skilled in avoiding detection during the reconnaissance stage,” he said. “They have posted almost 70 victims to their extortion site, so they appear to have had some early success.”

Cybersecurity researchers previously told BleepingComputer that Cactus emerged in March and focused on exploiting vulnerabilities in VPN appliances to gain initial access to the networks of large companies.

Last week, experts from Arctic Wolf said it observed a new Cactus ransomware campaign exploiting publicly-exposed installations of Qlik Sense, a cloud analytics and business intelligence platform.

“Arctic Wolf labs is currently responding to several instances of Qlik Sense exploitation for initial access,” they said. “In several instances, immediately following exploitation, Arctic Wolf detected malicious activities early in the kill chain and worked with customers to disrupt the progression of the attacks. We gained further insight into these activities during the investigation of a recent IR case which resulted in the deployment of Cactus ransomware.”

Incident response firm Dragos also said it is increasingly seeing Cactus ransomware used in attacks on industrial organizations, impacting manufacturing and ICS equipment and engineering sectors.

The gang was responsible for 16 attacks – representing about 7% of all attacks tracked by Dragos in the third quarter.