The Cactus Ransomware Gang's Attack on Peacock Bros

The Cactus ransomware gang has attacked Peacock Bros. Peacock Bros is an Australian company that specializes in providing a range of technology solutions and services, particularly in the fields of labeling, barcoding, data collection, and mobile computing. The company has been in operation for many decades and has established itself as a trusted provider of technology solutions for businesses across various industries.

Cactus posted Peacock Bros to its data leak site on September 14th, threatening to publish stolen non-disclosure agreements if the organization fails to pay an unspecified ransom. Cactus has been in operation since at least March 2023.

Method of Attack

Cactus has been observed employing known vulnerabilities within VPN appliances to initiate an initial breach. Once gaining entry to the network, Cactus operators engage in activities such as enumerating local and network user accounts and identifying accessible endpoints. They then proceed to generate new user accounts and utilize custom scripts for the automated rollout and activation of the ransomware encryptor through scheduled tasks.

Unique Characteristics of the Ransomware

It is noteworthy that the ransomware encryptor utilized by Cactus exhibits a unique characteristic – it necessitates a decryption key for the execution of the binary, likely implemented to evade detection by anti-virus software. This decryption key is concealed within a file containing random text named ntuser.dat, which is loaded through a scheduled task.