Cuba Ransomware Joining Hands with Hancitor Malware

Ransomware joins malware group

• The attackers used malicious spam campaigns, in which they used decoy DocuSign invoices to distribute Hancitor malware.
• Malware actors drop Cobalt Strike beacons on infected computers to gather network credentials, domain information and spread Cuba ransomware throughout the network.
• The malicious campaign has affected organizations from various sectors, including financial, pharmaceutical, educational, industrial, professional services, and software development, focusing mainly on Europe and the U.S.

How does it operate?

• The threat actors leverage a few custom tools for network reconnaissance. For e.g, it uses Netping to collect information about alive hosts in the network and to save it into a text file, and Protoping to collect information about available network shares.
• The lateral move is supported by RDP, and if the Cobalt Strike beacons were detected or blocked, additional backdoor malware such as Ficker stealer and SystemBC would have allowed the attackers to download and implement additional payloads. 
• For the final device encryption on the network, the attackers deploy the ransomware executable via PsExec, after gaining access to a domain admin's credentials.

Recent news about Cuba ransomware

• Last month, cybersecurity firm Profero revealed that the group is based out of Russia.
• In February, numerous U.S. cities and agencies had disclosed data breaches after a Cuba ransomware attack against the payment processor Automatic Funds Transfer Service (AFTS).

Wrapping up