Home > News > CACTUS Ransomware Alert by Microsoft! πŸŒ΅πŸ’»

CACTUS Ransomware Alert by Microsoft! πŸŒ΅πŸ’»

microsoft warns of malvertising scheme feature

Microsoft Warns of Malvertising Scheme Targeting Users

Microsoft has issued a warning about a new wave of CACTUS ransomware attacks that are spreading via a malvertising scheme. The ransomware attacks leverage malvertising lures to deploy DanaBot as an initial access vector. DanaBot is a multi-functional tool that acts as a stealer and a point of entry for next-stage payloads, similar to Emotet, TrickBot, QakBot, and IcedID.

According to the Microsoft Threat Intelligence team, the DanaBot infections led to hands-on-keyboard activity by ransomware operator Storm-0216 (also known as Twisted Spider and UNC2198), culminating in the deployment of CACTUS ransomware. UNC2198 has been previously observed infecting endpoints with IcedID to deploy ransomware families such as Maze and Egregor.

The threat actor has also taken advantage of initial access provided by QakBot infections, but the shift to DanaBot is likely the result of a coordinated law enforcement operation in August 2023 that took down QakBot's infrastructure. The current Danabot campaign, first observed in November, appears to be using a private version of the info-stealing malware instead of the malware-as-a-service offering.

The credentials harvested by the malware are transmitted to an actor-controlled server, followed by lateral movement via RDP sign-in attempts and ultimately handing off access to Storm-0216. The disclosure comes days after Arctic Wolf revealed another set of CACTUS ransomware attacks that are actively exploiting critical vulnerabilities in a data analytics platform called Qlik Sense to gain access to corporate networks.

Microsoft's warning follows closely on the heels of the discovery of a new macOS ransomware strain called Turtle that's written in the Go programming language and is signed with an ad hoc signature, thereby preventing it from being executed upon launch due to Gatekeeper protections.

Organizations and individuals are advised to be vigilant against this evolving threat, emphasizing the importance of robust cybersecurity measures to mitigate the risk of infection.

image Β© 2024. all rights reserved.

Frequently Asked Questions

How to protect oneself from malvertising attacks?

Malvertising is a type of cyber attack that uses online ads to spread malware. To protect oneself from malvertising attacks, users can take the following steps:
Install an ad-blocker extension on their browser to block ads from unknown sources.
Keep their operating system and software up-to-date with the latest security patches.
Avoid clicking on ads that look suspicious or too good to be true.
Use a reputable antivirus software that can detect and block malvertising campaigns.

What are the common signs that a device has been affected by a malvertising campaign?

The signs that a device has been affected by a malvertising campaign can vary depending on the type of malware that has been downloaded. However, some common signs include:
Slow system performance and increased CPU usage.
Pop-up ads that appear even when the browser is closed.
Unusual error messages or warnings.
Changes in the browser settings or homepage.

What steps should be taken if one suspects their system is compromised by ransomware?

If one suspects their system is compromised by ransomware, they should take the following steps:
Disconnect the device from the internet to prevent further damage.
Do not pay the ransom as it may not guarantee the return of the encrypted data.
Use a reputable antivirus software to remove the ransomware from the system.
Restore the encrypted data from a backup if available.

How does DanaBot spread and what is its impact on affected systems?

DanaBot is a banking Trojan that is often used as an initial access vector for ransomware attacks. It is spread through malvertising campaigns and phishing emails. Once it infects a system, it can steal sensitive information such as login credentials and financial data. It can also download and execute additional malware on the affected system.

What measures are companies taking to prevent malvertising on their platforms?

Companies are taking several measures to prevent malvertising on their platforms, including:
Implementing strict ad policies and guidelines to prevent malicious ads from being displayed.
Using automated tools to scan ads for malware and other malicious content.
Collaborating with third-party security vendors to detect and block malvertising campaigns.
Providing users with ad-blocker extensions and other tools to protect themselves from malvertising attacks.

What is the difference between malvertising and traditional malware distribution methods?

Malvertising is a type of malware distribution method that uses online ads to spread malware. Traditional malware distribution methods include phishing emails, social engineering, and software vulnerabilities. Malvertising can be more difficult to detect and prevent as it can appear on legitimate websites and ad networks.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.