Watch out, there's a new malvertising scheme spreading dangerous ransomware

ransomware avast
(Image credit: Avast)

Cybercriminals known as Twisted Spider (AKA Storm-0216) were observed using the services of Storm-1044, which infected target endpoints with an initial access trojan called DanaBot. Twisted Spider would then use this access to deploy the CACTUS ransomware.

In a Twitter thread, Microsoft security researchers said Storm-0216 was known for leveraging QakBot’s infrastructure for infections, but since law enforcement dismantled this operation last summer, the group was forced to pivot to a different platform. 

"The current Danabot campaign, first observed in November, appears to be using a private version of the info-stealing malware instead of the malware-as-a-service offering," the company explained. DanaBot offered hands-on keyboard activity to its partners, it was added.

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

Encrypting itself

Once the Storm-1044 group steals the necessary login credentials, they would move laterally across the network and throughout endpoints via RDP sign-in attempts. After initial access had been established, the group would hand it over to Twisted Spider, who would then infect the endpoints with the CACTUS ransomware.

It seems that CACTUS is quickly becoming the go-to choice for many ransomware operators. Last week, researchers from Arctic Wolf warned that hackers abused three vulnerabilities in the Qlik Sense data analytics solution to deploy this particular variant and steal sensitive company data. 

In May, Kroll’s researchers discovered that the ransomware had a unique method of evading cybersecurity protections: “CACTUS essentially encrypts itself, making it harder to detect and helping it evade antivirus and network monitoring tools,” Laurie Iacono, Associate Managing Director for Cyber Risk at Kroll, told Bleeping Computer.

Cactus is a relatively new entrant in the ransomware game, first being spotted in March this year. It has the usual modus operandi, stealing sensitive data and encrypting systems, to later demand payment in cryptocurrency in exchange for the decryption key and for keeping the data private.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.