Cactus attacks Intercity Investments
Cactus Ransomware Group's Attack on Intercity Investments
Cactus ransomware group claimed an attack on Intercity Investments. The group obtained several pieces of sensitive corporate data, including confidential data, PII documents, death certificates, and others. Intercity Investments is a fully integrated real estate management company that has been managing its retail, office, mixed-use, and multi-family assets primarily in Texas for over 40 years.
Cactus's Modus Operandi
Cactus has been in operation since at least March 2023. Cactus has been observed employing known vulnerabilities within VPN appliances to initiate an initial breach. Once gaining entry to the network, Cactus operators engage in activities such as enumerating local and network user accounts and identifying accessible endpoints. They then proceed to generate new user accounts and utilize custom scripts for the automated rollout and activation of the ransomware encryptor through scheduled tasks.
It is noteworthy that the ransomware encryptor utilized by Cactus exhibits a unique characteristic – it necessitates a decryption key for the execution of the binary, likely implemented to evade detection by anti-virus software. This decryption key is concealed within a file containing random text named ntuser.dat, which is loaded through a scheduled task.
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!