CAV (aka Apocalypse or Kangaroo) Ransomware

Posting in the hopes that this will help someone. A client got encrypted with the Threat actors email being:


[email protected]


or a similar combination. Seems like a relatively small variant similar to a “Apocalypse” or “Kangaroo” type of an approach. While communications were lacking, the threat actors did exfiltrate data. The Threat actors are not the most organized, and actually sent proof of exfil from a different victim they impacted at first then they provided the correct information. 


Ultimately, a small payment was made, and the threat actors provided access to a “mega” site where we were able to delete the client’s information. Of course there is no guarantee that ALL information was provided and deleted, however, the overall communication appeared to have been sufficient and the threat actors appeared (at least at the moment) to follow through on their commitments. 


initial attack vectors appear to be remote access exploit i.e. RDP, VPN. 


Again, this post is not to recommend payment, but wanted to share our experience as reputation and track record is important.


Sample ransom note text image attached. 


ADMIN: if there is an existent thread please feel free to move. 


Good luck.