Watch out, there's a new malvertising scheme spreading dangerous ransomware

"The current Danabot campaign, first observed in November, appears to be using a private version of the info-stealing malware instead of the malware-as-a-service offering," the company explained. DanaBot offered hands-on keyboard activity to its partners, it was added.

Encrypting itself

Once the Storm-1044 group steals the necessary login credentials, they would move laterally across the network and throughout endpoints via RDP sign-in attempts. After initial access had been established, the group would hand it over to Twisted Spider, who would then infect the endpoints with the CACTUS ransomware.

It seems that CACTUS is quickly becoming the go-to choice for many ransomware operators. Last week, researchers from Arctic Wolf warned that hackers abused three vulnerabilities in the Qlik Sense data analytics solution to deploy this particular variant and steal sensitive company data. 

In May, Kroll’s researchers discovered that the ransomware had a unique method of evading cybersecurity protections: “CACTUS essentially encrypts itself, making it harder to detect and helping it evade antivirus and network monitoring tools,” Laurie Iacono, Associate Managing Director for Cyber Risk at Kroll, told Bleeping Computer.

Cactus is a relatively new entrant in the ransomware game, first being spotted in March this year. It has the usual modus operandi, stealing sensitive data and encrypting systems, to later demand payment in cryptocurrency in exchange for the decryption key and for keeping the data private.

More from TechRadar Pro

• Networks breached after ransomware slips past Qlik Sense security flaws
• Here's a list of the best malware removal software today
• These are the best endpoint protection tools right now