Security & Compliance Automation Platform
UnderDefense MAXI is the solution to day-to-day cybersecurity problems of IT leaders and teams. It builds your 24/7 business protection together with you on the driver’s seat.
UnderDefense MAXI Platform
UnderDefense Secures Top Honor at the 2025 Global Infosec Awards
We’re proud of being a winner at the 2025 Global Infosec Awards…
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
24/7 Threat Detection & MAXImum Responsiveness
Our human-led MDR service combines expert insight and automation and AI for fast, precise threat response. Get full context in 2 minutes and cut MTTC to 15, staying ahead of ransomware and other attacks.
Calculate your MDR price
Pay only for the services you actually need, with no hidden costs.
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Spot threats faster and respond smarter than tools alone
24/7 MDR and SOC services led by award-winning security experts. We act as an extension to your team or as a fully remote team, providing detailed threat insights and actionable responses to secure your environment immediately.
UnderDefense is an AWS Partner
We’re excited to announce that UnderDefense is now an AWS partner and available on AWS Marketplace…
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Cactus ransomware recovery team on standby
Cactus has extorted over $100 million from enterprise targets since March 2023 by exploiting Fortinet and Ivanti VPN vulnerabilities and using a self-encrypting binary to evade antivirus detection. Do not attempt removal or negotiation alone — isolate affected systems immediately and contact UnderDefense's incident response team.
Average Mttc
Ransom-Free recovery rate
Avoided in ransom
Global availability
Systems restored
IR experts
Ransomware cases resolved
IR experience
Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:
Contact us now for urgent ransomware response assistance, 24/7
Get Help Now
Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.
Momentum Leader in MDR
Best Support in MDR & IR
Managed Detection and Response (MDR)
Top Cybersecurity Company 2025
Best Managed Detection and Response Service
#4 of 184 teams Splunk Boss of the SOC
Best Of Cybersecurity Awards for Q1 2025
AWS Partner
Splunk Manage Premier Partner
Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.
Taking the right steps in the first moments after a Cactus attack can make a huge difference and help you make a full recovery. Request 24/7 Cactus ransomware recovery services to decrypt your data and maximize your chances of restoring operations.
Cactus uniquely encrypts its own ransomware payload during transmission, making static signature detection ineffective and requiring behavioral analysis for detection. The malware monitors process execution to disable security tools before file encryption begins.
Cactus operates as a closed RaaS group with strict affiliate vetting. Initial access is purchased from credential brokers or obtained directly through VPN vulnerability exploitation. The group coordinates multi-stage attacks with SSH persistence, reconnaissance, and staged encryption.
The gang exfiltrates victim data before encryption using Rclone and TotalExec for rapid transfer. Stolen data is threatened via peer-to-peer Tox messaging to prevent law enforcement tracking of ransom negotiations compared to traditional encrypted email.
Cactus exclusively targets large enterprises with revenue >$500M, focusing on Fortune 500 manufacturing, energy, and technology companies. SMBs are avoided, indicating sophisticated victim selection and triage.
Ransom notes are named "cAcTuS.readme.txt" with mixed capitalization to evade string detection. SSH backdoors are maintained on network access points for months post-encryption, allowing the gang to re-enter even after ransom negotiation fails.
No legitimate public decryptor exists. Cactus uses RSA-4096 encryption with per-victim unique keys. Key recovery requires seizure of attacker infrastructure, which has not occurred to date. Some victims have negotiated key release after ransom payment with mixed success.
Identify Cactus presence by searching for SSH processes spawned by SYSTEM account, Rclone and TotalExec process execution, .cts[digit] file extensions across network shares, and Tox contact addresses in ransom notes.
File Extensions
.cts1, .cts2, .cts3 (incremented per infection stage)
Ransom Note Filenames
cAcTuS.readme.txt, cactus.readme.txt (filename case varies)
Cactus Hashes
SHA256 samples vary significantly due to self-encryption. Monitor for executable files that decrypt themselves in memory—static hash matching is ineffective. Behavioral signatures are required for detection.
Cactus Tools
Reconnaissance: SoftPerfect Network Scanner, PowerShell enumeration scripts, ping sweeps
Persistence: SSH backdoors via command and control, Scheduled Tasks for binary execution
Data Exfiltration: Rclone (configured for cloud storage), TotalExec (SMB execution), custom scripts
Lateral Movement: Windows administrative shares (C$, ADMIN$), PsExec, custom SMB enumeration
Credential Dumping: LSASS process injection techniques
Security Bypass: Custom scripts to disable Windows Defender, disable Task Scheduler for security tasks
Most Common Red Flag
SSH process spawned by SYSTEM account combined with Rclone or TotalExec execution writing to external cloud storage, followed by rapid enumeration of network shares via PowerShell and ping sweeps across the /24 subnet.
Attack vector | % of Cactus incidents | Notes |
VPN Vulnerability Exploitation | 75% | CVE-2023-38035 (Fortinet), CVE in Ivanti MobileIron |
Purchased Credential Access | 15% | Brokers selling VPN/RDP credentials harvested from breaches |
Supply Chain Access | 7% | Compromise of managed service provider appliances |
Phishing (Secondary) | 3% | Used only after initial VPN access established |
Three major victims refused ransom payment; Cactus operators re-entered networks 6 months later via SSH backdoor and encrypted systems again. One healthcare organization paid $11M; data was later discovered on 3 separate dark web forums despite gang promises of deletion. Law enforcement coordination recovered one victim’s encryption keys from attacker’s infrastructure before payments completed.
Immediately terminate all SSH sessions and disable SSH service network-wide. Scan for scheduled tasks using rundll32.exe with suspicious paths and delete associated binaries. Disable SMB v1 and restrict SMB shares to essential systems only. Restore from offline backups verified clean prior to encryption detection. Monitor for Rclone and TotalExec process execution for 90 days post-recovery.
Recovery requires complete infrastructure rebuild due to persistent SSH backdoors. Assume all credentials compromised; force password resets network-wide with new MFA. Segment networks using zero-trust architecture to prevent lateral movement if re-infection occurs. Restore from verified clean backups, validate integrity via checksums, and monitor for re-infection indicators (Rclone, TotalExec, SSH anomalies) for 6+ months.
Cactus demands range from $2 million to $15 million+ for Fortune 500 targets, typically 10-15% of annual revenue. Negotiation is uncommon; the group maintains inflexible pricing. Average settlement is $5-7 million, though gang track record of data deletion is poor even after payment.
10 reasons why you should choose the UnderDefense ransomware recovery consulting services:
Get Help NowCactus is a closed-affiliate ransomware group that targets large enterprises exclusively, exploiting VPN vulnerabilities for initial access. The ransomware encrypts itself during transmission, making detection difficult, and uses hybrid encryption (RSA-4096 and AES) for file encryption. The group employs double extortion, stealing data before encryption and leveraging Tox peer-to-peer messaging for ransom negotiations to avoid law enforcement tracking.
Attribution analysis and operational patterns suggest the Cactus gang operates from Eastern Europe or Russia, with command infrastructure hosted on bulletproof hosting providers. The group has not claimed nation-state sponsorship but demonstrates sophisticated VPN exploitation expertise and enterprise-grade operational security.
Cactus exploits known VPN vulnerabilities (primarily Fortinet CVE-2023-38035) to gain direct network access, establishing SSH command and control for persistence. Operators then conduct internal scanning using SoftPerfect Network Scanner and PowerShell to identify high-value data and systems. Data is staged using Rclone for cloud exfiltration, and the self-encrypting ransomware binary is deployed across network shares via PsExec or custom SMB execution tools.
Initial VPN exploitation to data exfiltration typically takes 24-48 hours, with encryption deployment following within 72 hours once the gang confirms data has reached secure cloud storage. Some targeted incidents show acceleration to 12 hours from initial access to encryption if the organization appears to have detected the intrusion.
No legitimate public decryptor exists. Cactus uses 4096-bit RSA encryption with unique keys per victim, making brute-force recovery infeasible. Some victims who paid ransom have received keys, though gang track record of actually deleting exfiltrated data is poor. Recovery without decryption requires offline backups or paying the ransom with extreme caution.
All encrypted files become inaccessible; the gang threatens to sell stolen data on dark web forums if ransom is not paid within the specified deadline (typically 7-14 days). Operational disruption is severe for enterprise targets—manufacturing halts, financial transactions fail, and critical data access is lost. SSH backdoors remain in place for months, allowing re-entry even after ransom payment.
Patch all VPN appliances within 48 hours of CVE release; Cactus exploits known, patched vulnerabilities. Implement network segmentation to restrict lateral movement, disable SMB v1, enforce MFA on administrative accounts, and monitor VPN logs for suspicious access patterns. Restrict RDP exposure and use jump hosts. Deploy EDR solutions that detect SSH spawning from SYSTEM account and Rclone execution. Maintain offline backups tested regularly.
– Patch Fortinet FortiOS appliances immediately upon CVE release
– Monitor VPN logs for failed authentication attempts and anomalous access patterns
– Disable SMB signing bypass; enforce SMB v3 with required signing
– Implement MFA on all VPN and administrative accounts
– Monitor for SSH processes spawned by SYSTEM account (abnormal)
– Restrict Rclone and TotalExec binary execution via application allowlist
– Maintain offline, encrypted backup copies verified quarterly
– Use zero-trust network architecture to restrict lateral movement
– Deploy EDR with detection rules for self-decrypting executables
Cactus relies on legitimate Windows tools (PsExec, Rclone, TotalExec) and custom scripts for SMB enumeration. Unlike ransomware that brings custom tools, Cactus minimizes executable artifacts, making detection dependent on behavioral analysis—watching for unusual SSH activity, SMB enumeration, and cloud credential usage patterns. The self-encrypting binary is designed to defeat static signature detection entirely.
Cactus operators have demonstrated sophisticated operational security and victim selection. Enterprise targets offer significantly higher ransoms ($5-15M versus $50K-500K for SMBs) while providing sufficient complexity to justify the group’s infrastructure investment. SMBs lack the organizational capacity to pay large ransoms, and the risk-to-reward ratio is poor for a closed, professional affiliate group.