Cyber Threat Actor: Cactus

Cactus is a ransomware threat actor operating under a single known alias. The group has demonstrated a pattern of targeting large organizations across multiple sectors, including media, logistics, retail, education, and business services, with primary operations focused on financial gain through data compromise and extortion. Their campaigns have impacted entities in the United States, Sweden, France, the Netherlands, Belgium, and Spain, indicating a transnational operational scope. Cactus employs ransomware to encrypt systems and exfiltrate sensitive data, leveraging stolen information for coercive leverage. The group publicly claimed responsibility for breaching Urban One, a prominent African American media conglomerate, compromising employee financial records and tax documents.

Cactus utilizes socially engineered initial access vectors and aggressive network scanning techniques to infiltrate targets, deploying heavily disguised malware to evade detection. The threat actor systematically isolates and exfiltrates personal and financial data, including names, contact details, banking information, and national identification numbers. Following the Synertrade breach, Cactus demonstrated GDPR-aware data filtering by exfiltrating only non-sensitive information from certain targets, suggesting adaptability to regional data protection landscapes. The group’s attack on Iddink Learning Materials compromised 300,000 student and parent records across three European countries, highlighting their focus on high-yield educational sector targets. Cactus maintains consistent post-breach behaviors: isolating compromised systems, avoiding ransom negotiations in confirmed incidents, and monitoring dark web channels for potential data leaks. Law enforcement and cybersecurity agencies across multiple jurisdictions have been engaged in responding to their operations.