CACTUS actors announced a recent ransomware operation against DRM Arby’s, which qualifies as a high-end breach. Arby’s packs a total revenue of around $266 million and the hackers announced a 175 GB-worth of a prize.
The group’s primary method of attack isn’t necessarily unique or groundbreaking, but it is highly effective. By infecting public VPN services, the hackers gain access to an immense database of potential victims.
At that point, all they have to do is to pick their target of choice and plan the breach. This simple, yet effective approach explains not only how CACTUS operators manage to breach high-value targets, but also how they remain stealthy while doing it.
In terms of extortion practices, CACTUS sticks to the tried-and-tested double-extortion technique. The hackers encrypt the system and steal all the valuable data they can get. This will significantly increase the value of the ransom.
There’s no clear data on this, but it appears that CACTUS hackers do keep their word when it comes to providing the decryption key. This is standard practice in the ransomware sphere. If they wouldn’t do that, nobody would ever pay the ransom.
Not the same can be said about the operators deleting the stolen data. Because the victim cannot verify whether the hackers have kept their word, one must conclude that they haven’t. That’s because this is the norm in the ransomware business.
Most ransomware gangs keep the data to themselves, especially if it comes from a high-value target. They can then use it for their own benefit later down the line or sell it to other gangs. Either way, it doesn’t look good for the victim.
The best tactic revolves around learning how CACTUS operates. Your safety level is directly influenced by how much effort you put in that sense. Naturally, that’s not a fail-proof method either. You need to have a plan B in place in case your defenses fail.
And, as cybersecurity experts show, plan B is as simple and intuitive as they come: don’t negotiate with the hackers. First, because negotiating with the hackers, whether or not you decide to pay the ransom, already marks you as vulnerable.
The hackers will place your name in their database and either attack you again in the future, sell your info to other gangs, or both. Neither of these possibilities is favorable to you or your company.
The second problem is that paying the ransom or negotiating with the hackers doesn’t guarantee that they will delete the data. And, as history has taught us, they usually don’t.
We believe security online security matters and its our mission to make it a safer place.