RANSOMWARE OPERATION💰 FINANCIAL

cactus

261
victims
1
aliases

Intelligence Profile

The CACTUS ransomware is said to have emerged around March 2023. The group became known for exploiting vulnerabilities to gain initial access and maintain a presence within the organization's infrastructure.<br> <br> There is little known information about the ransomware group, except that it emerged on the mentioned date and, following encryption, a text file named 'cAcTuS.readme.txt' would be created. Additionally, encrypted files were altered to the '.cts1' extension, and data exfiltration and victim extortion were conducted through the use of the service known as Tox.<br>Source: https://github.com/crocodyli/ThreatActors-TTPs

Threat Analysis

cactus is a ransomware operation that deploys encryption-based extortion against organizations globally. This group maintains a data leak site (DLS) to pressure victims into paying ransom demands.

Financially motivated threat actors like cactus prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

Ransomware Victims (261)

CTIWATCH tracks 261 organizations claimed as victims by cactus on its data leak site, with attack dates, sectors and countries.

View full victims list →

External References

Quick Facts

TypeRansomware Operation
Motivation💰 financial
Aliases1

Also Known As

cactus

DLS Infrastructure

○ OFFLINEcactusbloguuodvqjmnzlwetjlpj6aggc6iocwhuupb47laukux7ckid.onion
○ OFFLINEcactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion
○ OFFLINEvhfd5qagh6j7qbisjqvly7eejqbv6z5bv77v6yuhctn77wmd3hjkyvad.onion
○ OFFLINEacfckf3l6l7v2tsnedfx222a4og63zt6dmvheqbvsd72hkhaqadrrsad.onion
○ OFFLINE6wuivqgrv2g7brcwhjw5co3vligiqowpumzkcyebku7i2busrvlxnzid.onion

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.