Discovery Enum
- Nmap
- SoftPerfect NetScan
Cactus is a ransomware family and ransomware operation active worldwide since at least March 2023, with reporting also describing it as linked to multiple attacks worldwide since late 2023.
Profile source: Mallory opens in a new tabCACTUS
Cactus is a ransomware family and ransomware operation active worldwide since at least March 2023, with reporting also describing it as linked to multiple attacks worldwide since late 2023. It is used in double-extortion campaigns in which operators steal data and encrypt victim systems, and victims are pressured through leak-site publication. Reported behavior includes deleting shadow copies before encryption to inhibit recovery and using the Windows Restart Manager library (RstrtMgr.dll) to kill processes that would otherwise lock files and interfere with encryption.
High-confidence reporting links Cactus to financially motivated ransomware activity and to shared or migrating affiliates from other major ransomware ecosystems. Multiple sources note overlap with Black Basta, including use of BackConnect malware previously seen in Black Basta attacks, similar TTPs such as email flooding followed by Microsoft Teams or Quick Assist social engineering, and assessments that some former Black Basta members or affiliates moved to Cactus. Cisco Talos also reported a 2023 intrusion in which an initial access broker it tracks as ToyMaker exploited vulnerable internet-facing systems, deployed the LAGTOY backdoor, harvested credentials from memory, and later handed access to Cactus.
Observed Cactus intrusion activity includes use of stolen credentials; endpoint, server, and file enumeration; archiving data with 7z; exfiltration with curl and other transfer tools; deletion of command history and Terminal Server Client artifacts; deployment of remote administration tools including eHorus Agent, AnyDesk, RMS Remote Admin, and OpenSSH; creation of scheduled tasks for recurring OpenSSH reverse shells over port 443; creation of unauthorized accounts such as "whiteninja"; modification of Winlogon registry keys; and use of bcdedit and shutdown commands to reboot hosts into Safe Mode, likely to weaken or evade security products. Talos also observed Metasploit shellcode-injected copies of PuTTY and ApacheBench, plus ELF binaries, communicating with 51.81.42.234 over ports 53, 443, 8343, and 9232.
Cactus has been associated with campaigns targeting manufacturing and construction organizations, and Talos reported a major pre-ransomware/ransomware campaign using Black Basta and later Cactus tradecraft in which actors spammed victims’ inboxes, contacted them via Microsoft Teams, convinced them to launch Quick Assist sessions, established persistence, and then conducted privilege escalation and lateral movement. Talos identified a previously undocumented Cactus ransomware variant with new command-line arguments that gave operators greater control over the binary. Cactus has also been tied to attacks against organizations with exposed or outdated Qlik Sense servers. Joint research under Project Melissa found that identified Dutch victims were compromised through internet-exposed Qlik Sense servers not running the latest version; the project estimated about 5,200 Qlik Sense servers were internet reachable worldwide, more than 3,100 were vulnerable, and 122 had likely already been exploited by Cactus.
Known indicators and notable artifacts directly mentioned in the content include the attacker-created local administrator account "support" with password "Sup0rtadmin" during the ToyMaker phase preceding Cactus access; unauthorized account "whiteninja"; the LAGTOY/HOLERUN backdoor persisted as service "WmiPrvSV"; modification of permissions on C:\Windows\Temp\syslog.txt to protect an SSH private key; and network communications to 51.81.42.234 on ports 53, 443, 8343, and 9232. Reporting also notes Dutch victimization, worldwide distribution, and later ecosystem reporting that listed Cactus among groups that became dormant or ceased operations in 2025.
Ransomware.live
Ransomware.live
466a8e120c75770ecbc0c73f0439d304718d56fd19bbaf5e78c03e096dae64ca586a7991bb097e7c4ef676b180f65a6a7fa55bf92073ca2115d70641566ce89bccb993b425257228bd48c0aac20d502728103f745f58a2af71d327012846c02242bce02c8f6d561f02856a367272b83582cb0577a64e59d187ab3174d1095c2236330349aa9c3dc0fee84e0c57283e651773e21117bd6a0e17a3975be84ab6aeReported operators
TrendMicro analyzed the BlackBasta and Cactus groups as being the work of the same attack group in that they used the same BackConnect malware in an attack strategy that used social engineering techniques to gain initial access and then exploited Microsoft Teams and Quick Assist.
Since November 2023, the Cactus ransomware group has been actively targeting vulnerable Qlik Sense servers.
Following BlackBasta’s shutdown, its former affiliates did not simply disappear. Instead, they regrouped and continued their criminal activities under different ransomware families, including Cactus, and more recently, Payouts King.
Exploited software
MITRE ATT&CK
Reporting
Many of its former affiliates simply carried on under different banners, deploying other ransomware families like Cactus and, more recently, aligning with Payouts King.
In May 2024, GG indicated that there is a team of 'MG' and that they are Cactus ransomware.
Following BlackBasta’s shutdown, its former affiliates did not simply disappear. Instead, they regrouped and continued their criminal activities under different ransomware families, including Cactus, and more recently, Payouts King.
"Trend Micro later reported similar ... activity in Black Basta and Cactus intrusions..."
Associated Analytic Story Cactus Ransomware DarkGate Malware DarkSide Ransomware Ransomware Revil Ransomware VanHelsing Ransomware
Associated Analytic Story Cactus Ransomware
Researchers Link CACTUS Ransomware Tactics to Former Black Basta Affiliates
This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware).
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.