To gain easier access to vulnerable corporate networks, the Cuba Ransomware group has teamed up with Hancitor malware. Read on to know more…
The history of ransomware operators collaborating with other malware groups, such as Ryuk and Conti’s collaboration with TrickBot, has prompted some new groups to follow suit. The cybersecurity firm Group-IB recently posted on a partnership between Cuba ransomware and Hancitor.
Data-encrypting Trojans, also known as ransomware, are one of the most common online threats. Cyber criminals use a ransomware building kit to quickly construct a new file-locking Trojan that is ready for delivery. Cuba Ransomware is one of the most recent threats in this category.
About Cuba Ransomware
Cuba Ransomware was first discovered in 2019, but it has remained relatively quiet in contrast to other ransomware campaigns such as REvil, Avaddon, Conti, and DoppelPaymer. Security experts believe that since spam campaigns are fueling their attacks, we should expect to see a rise in the number of such attacks in the near future.
According to a study report published by the cybersecurity firm Profero, the Cuba Ransomware is based in Russia, with researchers claiming that this is based on the presence of Russian language on the gang’s data leak website.
The malicious campaign has primarily targeted financial, pharmaceutical, educational, manufacturing, professional services, and software development organizations in Europe and the United States.
After a Cuba ransomware attack against payment processor Automatic Funds Transfer Service (AFTS) in February, a number of US cities and agencies revealed data breaches.
Partnership of Ransomware with Malware Group
It’s not the first time that two or more threat actors have teamed up to make their attacks more effective.
According to the security researchers, a threat group known as Balbesi is behind the latest Hancitor ransomware campaigns. The hackers used malicious spam campaigns to spread Hancitor malware, posing as decoy DocuSign invoices.
The Hancitor (Chancitor) downloader has been active since 2016, when it was discovered by Zscaler while spreading the Vawtrak information-stealing Trojan, and has since served as the launchpad for a number of campaigns.
Working Mechanism
Malware authors install Cobalt Strike beacons on infected computers to collect network credentials and domain information before spreading Cuba ransomware throughout the network.
For network reconnaissance, the threat actors use a few custom methods. It uses Netping to gather data about alive hosts in the network and save it to a text file, and Protoping to gather information about available network shares.
RDP supports the lateral move and if the Cobalt Strike beacons were been detected or blocked, additional backdoor malware like Ficker stealer and SystemBC would have allowed the attackers to download and implement additional payloads.
After gaining access to a domain admin’s credentials, the attackers use PsExec to deploy the ransomware executable on the network for final device encryption.
Concluding Words
Cuba ransomware has been in and out of the ransomware game for years, but it gained prominence after the ATFS attack. Perhaps it now wants to make amends. Because of the current relationship with Hancitor and the threat’s proclivity for spam campaigns, security professionals must keep a close eye on this nascent threat to prevent any surprises.