Microsoft, the prominent American technology giant, has issued a cautionary alert regarding the proliferation of Cactus ransomware attacks disguised as the Danabot malvertising campaign. The primary goal of this malicious activity is to pilfer sensitive information, including credentials, or serve as a conduit for injecting additional harmful payloads.
The hacking group identified as Storm 0216 (UNC2198/Twisted Spider), previously associated with the dissemination of Qakbot malware, has now been identified as participating in the propagation of the DanaBot Trojan, ultimately leading to the deployment of Cactus Ransomware.
In November of this year, DanaBot was detected infecting online users in Australia and Poland and has since expanded its reach to Italy and neighboring nations, according to research conducted by Cybaze ZLab.
Interestingly, the revelation of DanaBOT aligns with the discovery by security researchers that another cybercriminal group, Artic Wolf, is spreading Cactus ransomware by exploiting a critical vulnerability in the Qlik Business Analytics platform, widely utilized in the corporate realm.
The Microsoft Threat Intelligence teams are actively monitoring cyber threats and their impact on end-users, particularly those using the Windows 11 operating system.
Meanwhile, the Cactus criminals have been operating in the shadows since March 2023, demonstrating a proficiency in exploiting vulnerabilities in VPN appliances. Once infiltrating a connected network, the malware adeptly transforms itself to elude detection by threat monitoring solutions. Unlike some of its counterparts like LockBit, Cactus ransomware typically demands a ransom amount ranging from $1 million to $3 million, rather than reaching into the double-digit millions.