The following key processes are related to this process and are covered in separate documents:

Change requirements document

IFPG-ISMS-A1501-Supplier management procedure
Production and service provision

ANOTHER RISING CONCERN: (NEW CACTUS RANSOMWARE)

The Cactus ransomware attack is a recent and advanced form of ransomware that specifically
targets large companies in pursuit of substantial ransom payments. It gains entry into these
companies' networks by exploiting vulnerabilities in their Virtual Private Networks (VPNs), along
with typical ransomware tactics such as encrypting files and stealing data.
In all known instances, the hacker used a VPN service account to access the VPN server and
launch the ransomware attack. Cactus sets itself apart from other ransomware attacks by
encrypting its binary, which the attacker downloads and deploys with a specific flag to run even
after the original ZIP archive is deleted. This unusual process is likely intended to prevent the
detection of the ransomware encryptor.
The Cactus ransomware has three main modes of operation which can be selected by using
specific command-line switches: setup (-s), read configuration (-r), and encryption (-i).
Threat actors can enable persistence and store information in a file located at C:\ProgramData\
ntuser.dat, which will be read by the ransomware encryptor when executed with the -r
command line parameter along with the -s and -r arguments. The encryption key required to
decrypt the public RSA key used for file encryption and the ransomware's configuration file is
hardcoded into the encryptor binary as a HEX string.

SOURCE: @bleepingcomputer.com

The encrypted data can be accessed with the AES key after the HEX string has been decoded.
known to the attackers for the file encryption to be successful. The data is unlocked and the
malware is given the ability to look for files and begin a multi-thread encryption process by
running the program with the correct key for the -i (encryption) parameter.
The image below was provided by KROLL to explain the Cactus binary Execution Process as per
the selected parameter
SOURCE: @www.kroll.com
 WHAT HAPPENS AFTER GAINING ACCESS?

 Once access has been obtained into the network, the threat actor used an SSH backdoor
that was accessible from the command and control (C2) server and a scheduled task for
persistent access
 Itt uses the Soft Perfect Network Scanner (netscan) to search the network for intriguing
targets. The attacker also utilizes PowerShell instructions to ping distant hosts,
enumerate endpoints, and identify user accounts by looking at successful logins in
Windows Event Viewer.
 The Cactus ransomware employs a variety of remote access techniques through
legitimate programs (such as Splashtop, AnyDesk, and SuperOps RMM), as well as Cobalt
Strike and the Go-based proxy tool Chisel, to run the numerous tools necessary for the
attack.
 The Cactus ransomware then executes a batch script that uninstalls common antivirus
software
 The victim's data is then stolen by Cactus, throughout this process, the files are
transferred directly by the threat actors to cloud storage throughout this procedure
using the Rclone program.
 Following the data theft, the hackers automated the deployment of the encryption
process using a PowerShell script called TotalExec, which is frequently used in BlackBasta
ransomware attacks.

SOURCE: @www.kroll.com
 CACTUS OPERATIONS TTP

The ransoms that Cactus wants from its victims are currently unknown to the general
public, but it is rumoured that they are in the millions.
Even if they do acquire data from victims, it doesn't seem like the hackers have set up a
leak site like other double-extortion ransomware operations. This threat actors are yet to
create a special website for leaking exfiltrated data. However, if its victims don't pay the
ransom, the ransom text specifically references publicizing the stolen documents which
is shown in the image below:

SOURCE: @www.kroll.com

It is yet unknown how much information there is regarding the Cactus operation and
whether the hackers will, as promised, deliver a trustworthy decryptor in exchange for payment
but it is evident that the hacker breaches so far have most likely taken advantage of
vulnerabilities in the Fortinet VPN appliance and use the usual double-extortion strategy,
stealing data before encrypting it.

MITIGATION STEPS AGAINST RANSOMWARE ATTACKS (USING SOFTWARE SOLUTIONS) WHICH

CONTAINS KEY FEATURES LIKE:
 Ransomware, viruses, Trojan horses, worms, zero-day exploits, spyware, rootkits, and
other online dangers are all monitored and protected 24 hours a day, seven days a week.
 Protects your documents from ransomware attacks using a multi-layer protection
module.
 Vulnerability assessment technology that scans for security Vulnerabilities on your
system and suggests the best fix.
 Advanced threat defense module that closely monitors running applications and acts
right once when it notices suspicious activity.