Cactus

Malware updated 5 months ago (2024-11-29T13:41:59.921Z)

Download STIX

Preview STIX

Cactus is a type of malware, specifically ransomware, known for its malicious activities including data theft and system disruption. This malware has been linked to several high-profile attacks, spreading primarily through malvertising campaigns that leverage the DanaBot Trojan. Notably, the Cactus ransomware gang claimed responsibility for a massive data breach at Schneider Electric, an energy management and industrial automation firm, alleging the theft of 1.5TB of data. The group also targeted the Swedish retail and grocery provider Coop, causing significant disruptions. In 2023, OmniVision, a leading developer of advanced digital imaging solutions, disclosed a data breach following a Cactus ransomware attack. The incident was one among many that contributed to Cactus' reputation as a major cybersecurity threat. In another significant event, the Housing Authority of the City of Los Angeles (HACLA) fell victim to a Cactus ransomware attack, with the cybercriminals claiming to have stolen 861GB of data, including personal, financial, and backup information. Despite its destructive capabilities, Cactus was not the most prevalent ransomware in circulation. It came in second place, accounting for 7.74% of ransomware incidents, trailing behind LockBit but ahead of RansomHub, Play, Akira, Hunters, and BlackBasta. These figures underscore the persistent and diverse nature of the ransomware threat landscape, with Cactus representing a significant part of this ongoing challenge.

Description last updated: 2024-11-04T21:02:51.671Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Nokoyawa is a possible alias for Cactus. Nokoyawa is a prominent malware, specifically ransomware, that has been linked to numerous cybercrime activities since it first emerged in 2022. It has been associated with various other malware families including Quantum, Royal, BlackBasta, and a variety of others such as Emotet, IcedID, CobaltStri	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Exploit

Vpn

Ransom

Schneider

Malware

Vulnerability

Extortion

exploitation

Antivirus

Lateral Move...

Rmm

RaaS

Exploits

Malvertising

Trojan

Data Leak

Proxy

Encryption

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Lockbit Malware is associated with Cactus. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers or	Unspecified	4
The Black Basta Malware is associated with Cactus. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defenses	is related to	4
The Akira Malware is associated with Cactus. Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims glo	Unspecified	3
The Blackbasta Malware is associated with Cactus. BlackBasta is a notorious malware group that has emerged as a significant player in the ransomware space. The group has demonstrated an ability to adapt and evolve their tactics, making them a leading entity in the Russian-language ransomware domain. Initially, BlackBasta was observed using a botnet	Unspecified	3
The Clop Malware is associated with Cactus. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitin	Unspecified	2
The IcedID Malware is associated with Cactus. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of d	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alphv Threat Actor is associated with Cactus. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient p	is related to	3
The Rhysida Threat Actor is associated with Cactus. Rhysida is a globally active threat actor known for its ransomware operations, which have impacted a wide range of sectors, particularly the government and public sector. Their use of CleanUpLoader makes their operations highly effective and difficult to detect, as it not only facilitates persistenc	Unspecified	2

Source Document References

Information about the Cactus Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	a month ago	BlackBasta Ransomware Ties to Russian Authorities Uncovered
Securityaffairs	a month ago	Security Affairs newsletter Round 514 by Pierluigi Paganini – INTERNATIONAL EDITION
InfoSecurity-magazine	2 months ago	Attackers Leverage Microsoft Teams and Quick Assist for Access
Securityaffairs	2 months ago	Leaked Black Basta chat logs reveal the gang's operations
InfoSecurity-magazine	2 months ago	BlackBasta Ransomware Chatlogs Leaked Online
DARKReading	6 months ago	Schneider Electric Clawed by 'Hellcat' Ransomware Gang
Checkpoint	6 months ago	4th November – Threat Intelligence Report - Check Point Research
Securelist	8 months ago	Statistics on PC malware for Q2 2024
InfoSecurity-magazine	8 months ago	Published Vulnerabilities Surge by 43%
Securityaffairs	8 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	9 months ago	security-affairs-malware-newsletter-round-5
Securityaffairs	9 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	9 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	9 months ago	Security Affairs Malware Newsletter - Round 2
Securityaffairs	9 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	10 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	10 months ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	10 months ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Checkpoint	a year ago	27th May – Threat Intelligence Report - Check Point Research
Securityaffairs	a year ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION