Threat Intelligence Tarot
Vol. II · 139
Criminal
risk 4/5
The Self-Encrypting Thorn
Cactus
Cactus Ransomware
Large enterprisesManufacturingCritical infrastructureVPN-edge organizations
Active since ~2023 · Extortion, Financial gain
The Self-Encrypting Thorn arrives wrapped in its own scarred skin — the binary decrypts only at runtime, when the static analyst has already shrugged and moved on. By the time the file is recognizable, the files it touches are not.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1190
Exploit Public-Facing Application
Initial Access
T1486
Data Encrypted for Impact
Impact
T1059.001
PowerShell
Execution
T1078
Valid Accounts
Persistence
T1490
Inhibit System Recovery
Impact
T1567.002
Exfiltration to Cloud Storage
Exfiltration
Notable Operations
  • Qlik Sense vulnerability exploitation as initial access (2023)
  • Fortinet VPN edge exploitation campaigns
  • Self-decrypting payload technique to evade static AV
  • Schneider Electric Sustainability Business division breach (January 2024)
Defenses
  • Behavioral EDR rules for mass cryptographic file modification
    MITRE D3FEND
  • VPN edge device firmware updates within CISA-mandated SLAs
    CISA BOD 22-01
  • PowerShell script block logging and execution policy enforcement
    CIS Control 8
  • Network segmentation isolating edge devices from internal directory services
    CIS Control 12
Reversed: Their Weakness
Behavioral EDR detection (cryptography APIs called by unsigned PowerShell, mass file modification anomalies) catches this operator long before signature-based controls would. Defense in depth that does not depend on static analysis wins this fight.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Loud ShameNext →The National Brownout
Related Adversaries
The National Brownout
Brain Cipher
5 shared TTPs
The Loud Shame
8Base
5 shared TTPs
The Beast of Edicts
Qilin
5 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.