SLIIT CS2

Jun 22, 2021

2 min read

The Cuba Ransomware Gang

Lo que no te mata, sacará tu información. - What doesn’t kill you, will get your information out -

The Cuba Ransomware gang has partnered with the crooks behind the Hancitor malware in attacks aimed at corporate networks.

The Hancitor downloader has been around for quite some time already. It is known since at least 2016 for dropping Pony and Vawtrak. As a loader, it has been used to download other malware families, such as Ficker stealer and NetSupport RAT, to compromised hosts. Its operators also showed interest in post exploitation activities, deploying Cobalt Strike Beacon on the hosts located in Active Directory environments. After a few unremarkable and quiet years, Hancitor resurfaced again and it decided to join the Big Game Hunting. Hancitor became another commodity malware which partnered with ransomware gangs to help them gain initial access to target networks .

Hancitor is being actively used by the threat actors to deploy Cuba ransomware.. Cuba ransomware has been active since at least January 2020. Its operators have a DLS site, where they post exfiltrated data from their victims who refused to pay the ransom.

As of April 28, the site mentioned nine companies primarily from aviation, financial, education and manufacturing industries. Hancitor’s deep interest in Big Game Hunting is further supported by Jason Reaves‘s earlier findings about Hancitor’s association with the Zeppelin ransomware. Usually, Hancitor is distributed via spam campaigns. Such emails are disguised to look like DocuSign notifications. Clicking the malicious link obviously leads to downloading a weaponized document. As always, the document contains instructions on how to remove “protection”:

According to the very famous Group-IB researchers, the group behind ransomware deployments is Balbesi. Despite the fact the group is leveraging quite common techniques in their operations, their attacks are still quite effective and affects organizations from various sectors, including financial, pharmaceutical, educational, industrial, professional services and software development, focusing mainly on Europe and USA.

Source — https://securityaffairs.co/wordpress/117638/cyber-crime/cuba-ransomware-hancitor.html

Cybersecurity
Ransomware
Information Security

--

--

More from SLIIT CS2

First they begin with Us..

AboutHelpTermsPrivacy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SLIIT CS2

SLIIT CS2

341 Followers

First they begin with Us..

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech