Cactus ransomware has made a name for itself not just through disruption, but through its stealthy and highly technical delivery methods.

Active since early 2023, the group employs a unique strategy: encrypting its own ransomware binary to avoid detection by endpoint security tools—an increasingly common tactic among well-funded cybercriminal groups.

Cactus targets enterprise environments, relying on quiet lateral movement and carefully staged encryption to maximise impact before triggering detection. At STORM Guidance, we support businesses dealing with threats like Cactus by providing immediate response, forensic investigation, and long-term security improvements.

How Cactus Attacks Work

Cactus attacks are notable for their sophisticated evasion techniques, often involving:

• Initial access via vulnerable VPN services or exposed remote access points

• Lateral movement using compromised admin credentials and native tools

• Payload encryption, where the ransomware executable is encrypted and then decrypted at runtime—bypassing traditional security tools

• File encryption with a unique .cts extension and ransom note

• Data exfiltration and leak threats as part of a double extortion model

Victim data is published on a branded dark web leak site if the ransom isn’t paid.

Who Cactus Targets

Cactus has been observed targeting:

• Large and mid-sized enterprises, particularly in manufacturing, legal, and tech services

• Organisations with VPN vulnerabilities or legacy remote access infrastructure

• Environments where detection relies heavily on signature-based tools

Its tactics suggest a preference for businesses with distributed infrastructure and slower patching cycles.

How to Defend Against Cactus Ransomware

✅ Prioritise patching for VPNs, firewalls, and internet-facing systems

✅ Enforce multi-factor authentication for all privileged accounts

✅ Deploy behavioural-based endpoint detection tools

✅ Monitor network traffic for anomalies and credential misuse

✅ Conduct regular penetration testing and internal compromise simulations

✅ Back up data securely and isolate backups from production networks

If You’ve Been Hit by Cactus

If Cactus ransomware has compromised your environment:

• Isolate impacted systems and disconnect any affected VPN tunnels

• Preserve logs, encryption samples, and the ransom note for analysis

• Begin a data breach assessment and engage legal/compliance teams

• Contact an incident response provider before engaging the threat actor

STORM Guidance provides:

✔ Technical containment and breach investigation

✔ Recovery support and secure rebuild strategies

✔ Legal and reputational risk management

✔ Expert guidance on ransom handling and negotiation

Cactus: Tactical, Technical, and Quietly Dangerous

Cactus stands out for its ability to fly under the radar—a reminder that the most dangerous threats don’t always announce themselves.

Its use of encrypted binaries and stealthy movement demonstrates how ransomware is evolving beyond brute-force disruption.

The best defence is layered, adaptive, and informed. STORM Guidance is here to help your business stay a step ahead, respond with control, and come back stronger.

Immediate Response Available

If you’re under attack, contact STORM Guidance now.