In a stark warning, Microsoft has raised alarm bells about a fresh surge of CACTUS ransomware assaults, masterminded through malvertising ploys, with DanaBot serving as the initial gateway for these attacks.
The Microsoft Threat Intelligence team has uncovered that DanaBot infections pave the way for intrusive activities by ransomware operator Storm-0216, also known as Twisted Spider or UNC2198. These actions culminate in the unleashing of the malicious CACTUS ransomware, escalating concerns within the cybersecurity landscape.
Dubbed Storm-1044 by the tech giant, DanaBot is a versatile tool akin to Emotet, TrickBot, QakBot, and IcedID, functioning both as a data stealer and an entry point for subsequent harmful payloads. UNC2198, previously associated with deploying ransomware families like Maze and Egregor through IcedID infections, has been observed by Google-owned Mandiant in earlier reports from February 2021.
Microsoft’s findings suggest the threat actor has exploited initial access facilitated by QakBot infections, with the shift to DanaBot likely stemming from a coordinated law enforcement operation in August 2023 that dismantled QakBot’s infrastructure.
Highlighting a notable shift, Microsoft notes the current DanaBot campaign observed since November utilizes a private version of the information-stealing malware instead of the typical malware-as-a-service approach. Credentials harvested by this malware are funneled to a server controlled by the actor, enabling lateral movement via Remote Desktop Protocol (RDP) sign-in attempts, ultimately granting access to Storm-0216.
This revelation follows closely on the heels of Arctic Wolf’s disclosure about another wave of CACTUS ransomware attacks exploiting critical vulnerabilities in the Qlik Sense data analytics platform, amplifying the vulnerability of corporate networks.
In a parallel development, a new strain of macOS ransomware named Turtle has emerged. Written in the Go programming language and signed with an adhoc signature, this ransomware sidesteps Gatekeeper protections, preventing execution upon launch, marking a new challenge for Apple’s security measures.
To preempt CACTUS ransomware assaults initiated through DanaBot malvertising ploys, organizations must fortify their defenses. Regularly updating and patching systems, especially for known vulnerabilities exploited by malware like DanaBot, is crucial. Implementing multi-factor authentication (MFA) and limiting Remote Desktop Protocol (RDP) access help thwart lateral movement attempts. As ransomware tactics evolve, continuous adaptation and proactive defense mechanisms are pivotal in safeguarding against the mutating CACTUS ransomware threat.