The Cuba Ransomware Gang

2 min readJun 22, 2021

Lo que no te mata, sacará tu información. - What doesn’t kill you, will get your information out -

The Cuba Ransomware gang has partnered with the crooks behind the Hancitor malware in attacks aimed at corporate networks.

The Hancitor downloader has been around for quite some time already. It is known since at least 2016 for dropping Pony and Vawtrak. As a loader, it has been used to download other malware families, such as Ficker stealer and NetSupport RAT, to compromised hosts. Its operators also showed interest in post exploitation activities, deploying Cobalt Strike Beacon on the hosts located in Active Directory environments. After a few unremarkable and quiet years, Hancitor resurfaced again and it decided to join the Big Game Hunting. Hancitor became another commodity malware which partnered with ransomware gangs to help them gain initial access to target networks .

Hancitor is being actively used by the threat actors to deploy Cuba ransomware.. Cuba ransomware has been active since at least January 2020. Its operators have a DLS site, where they post exfiltrated data from their victims who refused to pay the ransom.

As of April 28, the site mentioned nine companies primarily from aviation, financial, education and manufacturing industries. Hancitor’s deep interest in Big Game Hunting is further supported by Jason Reaves‘s earlier findings about Hancitor’s association with the Zeppelin ransomware. Usually, Hancitor is distributed via spam campaigns. Such emails are disguised to look like DocuSign notifications. Clicking the malicious link obviously leads to downloading a weaponized document. As always, the document contains instructions on how to remove “protection”:

According to the very famous Group-IB researchers, the group behind ransomware deployments is Balbesi. Despite the fact the group is leveraging quite common techniques in their operations, their attacks are still quite effective and affects organizations from various sectors, including financial, pharmaceutical, educational, industrial, professional services and software development, focusing mainly on Europe and USA.

Source —

Written by Harshani Jayawardhana — 2nd Year 1st Semester -Cyber Security Student-SLIIT