The effectiveness of the public-private partnership dubbed Project Melissa is increasingly evident. This coalition, which includes Fox-IT (part of NCC Group), has identified overlap in a specific ransomware tactic used by the so-called Cactus threat group.
Multiple partners shared information from incident response engagements for their clients and found that the Cactus ransomware group has been exploiting the popular data visualization and business intelligence tool Qlik Sense to gain initial access.
Following that discovery, NCC Group's Fox-IT developed a fingerprinting technique to identify which servers worldwide are vulnerable to this attack route or, even more critically, which systems are already compromised.
Our experts from this team have published a research blog to add to a series collaborated on by various Dutch cyber security firms reporting on the Cactus ransomware group. To view all of the articles, please check the central post by Dutch special interest group, Cyberveilig Nederland.
About the Cactus ransomware campaign
Since November 2023, the Cactus ransomware group has been actively targeting vulnerable Qlik Sense servers. These attacks are not just about exploiting software vulnerabilities; they also involve a psychological component where Cactus misleads its victims with fabricated stories about the breach.
This likely is part of their strategy to obscure their actual method of entry, thus complicating mitigation and response efforts for the affected organizations.
Please visit Fox-IT's technical blog site to read the full write-up: Sifting through the spines: Identifying (potential) Cactus ransomware victims