Skip to content
Ransomware group

CACTUS

Cactus is a ransomware family and ransomware operation active worldwide since at least March 2023, with reporting also describing it as linked to multiple attacks worldwide since late 2023.

Profile source: Mallory opens in a new tab

CACTUS

Family profile

Cactus is a ransomware family and ransomware operation active worldwide since at least March 2023, with reporting also describing it as linked to multiple attacks worldwide since late 2023. It is used in double-extortion campaigns in which operators steal data and encrypt victim systems, and victims are pressured through leak-site publication. Reported behavior includes deleting shadow copies before encryption to inhibit recovery and using the Windows Restart Manager library (RstrtMgr.dll) to kill processes that would otherwise lock files and interfere with encryption.

High-confidence reporting links Cactus to financially motivated ransomware activity and to shared or migrating affiliates from other major ransomware ecosystems. Multiple sources note overlap with Black Basta, including use of BackConnect malware previously seen in Black Basta attacks, similar TTPs such as email flooding followed by Microsoft Teams or Quick Assist social engineering, and assessments that some former Black Basta members or affiliates moved to Cactus. Cisco Talos also reported a 2023 intrusion in which an initial access broker it tracks as ToyMaker exploited vulnerable internet-facing systems, deployed the LAGTOY backdoor, harvested credentials from memory, and later handed access to Cactus.

Observed Cactus intrusion activity includes use of stolen credentials; endpoint, server, and file enumeration; archiving data with 7z; exfiltration with curl and other transfer tools; deletion of command history and Terminal Server Client artifacts; deployment of remote administration tools including eHorus Agent, AnyDesk, RMS Remote Admin, and OpenSSH; creation of scheduled tasks for recurring OpenSSH reverse shells over port 443; creation of unauthorized accounts such as "whiteninja"; modification of Winlogon registry keys; and use of bcdedit and shutdown commands to reboot hosts into Safe Mode, likely to weaken or evade security products. Talos also observed Metasploit shellcode-injected copies of PuTTY and ApacheBench, plus ELF binaries, communicating with 51.81.42.234 over ports 53, 443, 8343, and 9232.

Cactus has been associated with campaigns targeting manufacturing and construction organizations, and Talos reported a major pre-ransomware/ransomware campaign using Black Basta and later Cactus tradecraft in which actors spammed victims’ inboxes, contacted them via Microsoft Teams, convinced them to launch Quick Assist sessions, established persistence, and then conducted privilege escalation and lateral movement. Talos identified a previously undocumented Cactus ransomware variant with new command-line arguments that gave operators greater control over the binary. Cactus has also been tied to attacks against organizations with exposed or outdated Qlik Sense servers. Joint research under Project Melissa found that identified Dutch victims were compromised through internet-exposed Qlik Sense servers not running the latest version; the project estimated about 5,200 Qlik Sense servers were internet reachable worldwide, more than 3,100 were vulnerable, and 122 had likely already been exploited by Cactus.

Known indicators and notable artifacts directly mentioned in the content include the attacker-created local administrator account "support" with password "Sup0rtadmin" during the ToyMaker phase preceding Cactus access; unauthorized account "whiteninja"; the LAGTOY/HOLERUN backdoor persisted as service "WmiPrvSV"; modification of permissions on C:\Windows\Temp\syslog.txt to protect an SSH private key; and network communications to 51.81.42.234 on ports 53, 443, 8343, and 9232. Reporting also notes Dutch victimization, worldwide distribution, and later ecosystem reporting that listed Cactus among groups that became dormant or ceased operations in 2025.

Ransomware.live

Operational record

View group record ↗

Discovery Enum

  • Nmap
  • SoftPerfect NetScan

Exfiltration

  • RClone

Networking

  • Chisel

Offsec

  • Cobalt Strike

RMM Tools

  • AnyDesk
  • Splashtop
  • SuperOps

Ransomware.live

Published indicators

Full source record ↗

Md5

50 total
  • 466a8e120c75770ecbc0c73f0439d304
  • 718d56fd19bbaf5e78c03e096dae64ca
  • 586a7991bb097e7c4ef676b180f65a6a
  • 7fa55bf92073ca2115d70641566ce89b
  • ccb993b425257228bd48c0aac20d5027
  • 28103f745f58a2af71d327012846c022
  • 42bce02c8f6d561f02856a367272b835
  • 82cb0577a64e59d187ab3174d1095c22
  • 36330349aa9c3dc0fee84e0c57283e65
  • 1773e21117bd6a0e17a3975be84ab6ae

Reported operators

Threat actors

3 named in public reporting
ToyMaker

TrendMicro analyzed the BlackBasta and Cactus groups as being the work of the same attack group in that they used the same BackConnect malware in an attack strategy that used social engineering techniques to gain initial access and then exploited Microsoft Teams and Quick Assist.

CACTUS

Since November 2023, the Cactus ransomware group has been actively targeting vulnerable Qlik Sense servers.

Black Basta

Following BlackBasta’s shutdown, its former affiliates did not simply disappear. Instead, they regrouped and continued their criminal activities under different ransomware families, including Cactus, and more recently, Payouts King.

Exploited software

Vulnerabilities linked to CACTUS

7 CVEs

MITRE ATT&CK

CACTUS in ATT&CK

26 distinct techniques

Reporting

Research mentioning CACTUS

Jun 4
Cyber Security News

Payouts King Ransomware Evades EDR With Obfuscation and Direct System Calls

Many of its former affiliates simply carried on under different banners, deploying other ransomware families like Cactus and, more recently, aligning with Payouts King.

May 19
Trellix

Analysis of Black Basta Ransomware Chat Leaks

In May 2024, GG indicated that there is a team of 'MG' and that they are Cactus ransomware.

Apr 17
Cyber Security News

Payouts King Rises as New Ransomware Threat Linked to Former BlackBasta Affiliates

Following BlackBasta’s shutdown, its former affiliates did not simply disappear. Instead, they regrouped and continued their criminal activities under different ransomware families, including Cactus, and more recently, Payouts King.

Mar 10
Cyber Security News

Hackers Attack Employees Over Microsoft Teams to Trick Them Into Granting Remote Access

"Trend Micro later reported similar ... activity in Black Basta and Cactus intrusions..."

Feb 25
Splunk Research

Detection: Delete ShadowCopy With PowerShell | Splunk Security Content

Associated Analytic Story Cactus Ransomware DarkGate Malware DarkSide Ransomware Ransomware Revil Ransomware VanHelsing Ransomware

Feb 25
Splunk Research

Detection: Suspicious SearchProtocolHost no Command Line Arguments | Splunk Security Content

Associated Analytic Story Cactus Ransomware

Feb 13
Cloudatg Insights

AI Development & Software Engineering | CloudATG

Researchers Link CACTUS Ransomware Tactics to Former Black Basta Affiliates

Jan 21
Pointwild

Analysis of HEURRemoteAdmin. GoToResolve.gen | Point Wild

This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware).

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.