• Home
  • News
  • Cactus Ransomware Group Adds Four New Victims

Cactus Ransomware Group Adds Four New Victims to Its Dark Web Portal

Miklos Zoltan

By Miklos Zoltan . 7 September 2023

Founder - Privacy Affairs

The Cactus ransomware group has just announced an attack on four new targets on their Dark Web portal. The victims belong to multiple industries, and the attacks may not have a specific goal behind them.


  • The four targets of Cactus are Trimaran Capital Partners, West Craft Manufacturing, TORMAX USA, and Specialized Management Services (SMS)
  • It is believed that the Cactus ransomware exploits vulnerabilities in VPN appliances to obtain initial access to its targets
  • The ransomware appeared in March 2023 and it generally targets large commercial entities
  • One of the targets, Trimaran Capital Partners, was a victim of another ransomware (ALPHV) earlier this year

It seems that the four targets happened this month in the same period since the Cactus group announced all four today (7th of September).

Cactus Ransomware Group


The four companies include an investment firm, an industry leader in the production of custom hydraulic cylinders, a company servicing automatic door systems, and a support company for the oil and gas industry.

In short, they’re large commercial companies that have a lot to lose from a ransomware attack.

Details About Cactus Ransomware

The Cactus ransomware group has been very active since it first appeared on the Dark Web in March 2023.

Some of its previous targets include:

  • Seymours, a renowned estate agent with six offices

  • Groupe Promotrans, a company operating in the training and coaching sector

  • MINEMAN Systems, a company focusing on marketing concentrates and metals from mining operations

  • Maxxd Trailers, a company that produces trailers across the US and Canada

  • Marfrig Global Foods, the second largest Brazilian food processing company

Every time, they identified their victims publicly and offered a description of each one on their dark web channel.

The way Cactus operates is quite sophisticated. They focus on VPN appliances to gain initial access and then install backdoors into the mainframe of each company.

The name of their group comes from the filename of the ransom note, “cAcTuS.readme.txt”.

So far, all the victims have been attacked using the same method – VPN appliances and the installation of SSH backdoors.

It’s pretty clear that the ransomware group won’t stop any time soon. Other large commercial entities using VPNs are also at risk of falling prey to the mysterious group.

At present, Cactus is one of the most notorious ransomware groups on the Dark Web, mainly due to the specificity of its attack patterns and modus operandi.

Our Mission

We believe security online security matters and its our mission to make it a safer place.

Leave a Comment