The historical partnerships among ransomware operators with other malware groups, such as Ryuk and Conti’s collaboration with TrickBot, have inspired some new groups to adopt the partner strategy. One such collaboration is that of Cuba ransomware with Hancitor that has been reported by the cybersecurity firm Group-IB.
Ransomware joins malware group
According to the researchers, the recent ransomware campaigns using Hancitor have been attributed to a threat group named Balbesi.
The attackers used malicious spam campaigns, in which they used decoy DocuSign invoices to distribute Hancitor malware.
Malware actors drop Cobalt Strike beacons on infected computers to gather network credentials, domain information and spread Cuba ransomware throughout the network.
The malicious campaign has affected organizations from various sectors, including financial, pharmaceutical, educational, industrial, professional services, and software development, focusing mainly on Europe and the U.S.
How does it operate?
The threat actors leverage a few custom tools for network reconnaissance. For e.g, it uses Netping to collect information about alive hosts in the network and to save it into a text file, and Protoping to collect information about available network shares.
The lateral move is supported by RDP, and if the Cobalt Strike beacons were detected or blocked, additional backdoor malware such as Ficker stealer and SystemBC would have allowed the attackers to download and implement additional payloads.
For the final device encryption on the network, the attackers deploy the ransomware executable via PsExec, after gaining access to a domain admin's credentials.
Recent news about Cuba ransomware
Last month, cybersecurity firm Profero revealed that the group is based out of Russia.
In February, numerous U.S. cities and agencies had disclosed data breaches after a Cuba ransomware attack against the payment processor Automatic Funds Transfer Service (AFTS).
For years, Cuba ransomware has been in and out of the ransomware game; it came to the limelight after the ATFS attack. Maybe now it wishes to compensate. The current partnership with Hancitor and inclination toward spam campaigns points that this budding threat needs a strict eye from security professionals to avoid any surprises.