Scroll Top

Understanding Ransomware and the Emerging Threat of CACTUS



Ransomware has become one of the most significant cybersecurity threats in recent years. Among the many ransomware groups, CACTUS is a notable new entrant that has quickly established itself as a formidable adversary. Despite lacking the longevity of groups like LockBit or the resources of Volt Typhoon, CACTUS has demonstrated remarkable efficiency and impact since its emergence.

Who is CACTUS?

CACTUS ransomware was first observed in March 2023 and has since been actively targeting large commercial entities. According to a study by the SANS Institute, CACTUS was one of the fastest-growing ransomware groups of that year. The group was responsible for 17% of all ransomware attacks conducted by new groups in 2023, ranking among the top five threats in this category.

The name “CACTUS” comes from the filename of their ransom note, “cAcTuS.readme.txt,” and the encrypted files are given the extension .CTSx, where x is a varying single-digit number. This ransomware follows a double-extortion model, where attackers not only encrypt the victim’s data but also threaten to release sensitive information unless a ransom is paid.

The Ransom Note

The ransom note from CACTUS typically reads:

Your corporate network was compromised and encrypted by Cactus.

Do not interrupt the encryption process, don't stop or reboot your machines until the encryption is complete. Otherwise the data may be corrupted.

In addition to the encrypted infrastructure, we have downloaded a lot of confidential information from your systems. The publication of these documents may cause the termination of your commercial activities, contracts with your clients and partners, and multiple lawsuits.

If you ignore this warning and do not contact us, your sensitive data will be posted on our blog.

Notable Attacks

CACTUS has been involved in several high-profile attacks, notably targeting Schneider Electric in January 2024. Schneider Electric, a French multinational company with a significant market share in the Energy & Power sector, had its Sustainability Business division compromised. This division’s clients include major corporations such as Clorox, DHL, DuPont, Hilton, PepsiCo, and Walmart. CACTUS claimed to have exfiltrated 1.5TB of data before encrypting Schneider’s systems.

Other notable victims include Marfrig Global Foods and MINEMAN Systems, both of which have significant roles in global supply chains. CACTUS has listed over 100 victims on its leak site, though the actual number of affected companies could be higher as some may have paid ransoms and avoided public disclosure.

Characteristics and Techniques

CACTUS ransomware employs several sophisticated techniques to evade detection and ensure successful attacks. These include:

  • Self-Encryption
    CACTUS encrypts itself to avoid detection by security software.
  • Exploiting Vulnerabilities
    It has been observed exploiting known vulnerabilities in VPN appliances and data analytics platforms to gain initial access.
  • Unique Encryption Methods
    The ransomware divides encrypted files into micro-buffers, potentially to manage encrypted data streams more efficiently.

Prevention and Mitigation

Given the rise in ransomware attacks, including those by CACTUS, organizations must adopt robust cybersecurity measures. Here are some recommended practices:

  1. Multi-Factor Authentication (MFA)
    Enforce MFA for all critical services, including email, VPNs, and systems access.
  2. Regular Patching
    Ensure all systems, especially VPN appliances, are regularly updated to patch known vulnerabilities.
  3. Access Controls
    Implement strict access controls, including the principle of least privilege and time-based access for administrative accounts.
  4. Vulnerability Management
    Continuously scan for and address vulnerabilities and misconfigurations.
  5. Employee Training
    Conduct regular security awareness training and phishing simulations for employees.
  6. Network Segmentation
    Design the network to minimize the impact of a potential breach through effective segmentation.
  7. Use of Security Tools
    Employ tools like antivirus, EDR, firewalls, and IDS/IPS, ensuring they are properly configured and regularly updated.


CACTUS ransomware is a growing threat in the cybersecurity landscape. Despite being relatively new, it has demonstrated significant capability and impact. Organizations must stay vigilant and proactive in their cybersecurity efforts to mitigate the risks posed by such sophisticated ransomware groups. For a more comprehensive analysis and detailed preventive measures, refer to the attached report.

Related Posts

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.