Microsoft Warns of Malvertising Scheme Spreading CACTUS Ransomware

5 Dec 2023

1 MIN read

Microsoft has recently alerted about a surge in CACTUS ransomware attacks. These attacks use deceptive advertising to introduce DanaBot, leading to direct intervention by the ransomware group Storm-0216, also known as Twisted Spider or UNC2198. This intervention results in the deployment of CACTUS ransomware. DanaBot, identified by Microsoft as Storm-1044, is a versatile malware similar to Emotet, TrickBot, QakBot, and IcedID, used for data theft and as a gateway for further malicious payloads.

UNC2198 has been previously noted for using IcedID to spread ransomware like Maze and Egregor, as reported by Google’s Mandiant in February 2021. Microsoft notes that this group has also exploited QakBot infections for initial access. The recent shift to DanaBot may be a response to a law enforcement operation in August 2023 that disrupted QakBot’s network.

The latest DanaBot campaign, noticed since November, seems to deploy a private variant of this info-stealing malware. The stolen credentials are sent to a server controlled by the attackers, which is then used for lateral movements such as RDP sign-in attempts, eventually giving control to Storm-0216.

This announcement follows Arctic Wolf’s revelation of other CACTUS ransomware attacks exploiting vulnerabilities in Qlik Sense, a data analytics platform, to infiltrate corporate networks. Additionally, a new macOS ransomware called Turtle has been discovered, written in Go and signed with an ad-hoc signature. This signature prevents its execution due to Gatekeeper protections.