Cuba Ransomware and Its Partnership With Hancitor
Cuba Ransomware Gang Is Teaming Up with the Spam Operators of the Hancitor Malware in an Attempt to Gain Easier Access to Compromised Corporate Networks.
It seems that the Cuba Ransomware gang is teaming up with the spam operators of the Hancitor malware in an attempt to gain easier access to compromised corporate networks.
What Do We Know about Hancitor?
The Hancitor (Chancitor) downloader is operating since 2016 when it was noticed by Zscaler whilst it was distributing the Vawtrak information-stealing Trojan, and since then stood was the starting point of numerous campaigns over the years.
Its M.O. is to install password-stealers, like Pony, Ficker, or the newly added Cobalt Strike and is usually distributed through malicious spam campaigns pretending to be DocuSign invoices.
Once the recipient clicks on the ‘Sign document’ link, they are automatically downloading a malicious Word document trying to convince them to disable all protections. Once the protections are disabled the malicious macros will download and install the Hancitor downloader.
It’s not the first time when two or more threat actors are teaming up in an attempt to increase the impact of their attacks.
This time we’re witnessing the Cuba Ransomware partnering with Hancitor in order to gain access to compromised networks.
Group-IB Cybersecurity Company researchers have recently detected Cobalt Strike dropping campaigns on infected computers.
One of the more commonly used pen test toolkits, Cobalt Strike “create shells, execute PowerShell scripts, perform privilege escalation, or spawn a new session to create a listener on the victim system.”
Ransomware gangs usually are using some cracked versions of Cobalt Strike as part of their attacks in order to be able to gain a foothold and then laterally spread throughout a network.
Once the Cobalt Strike beacons are deployed the threat actors are using this remote access to gather network credentials, domain information, and spread throughout the network.
The Beacon’s capabilities were also used to scan the compromised network. In addition, the group leveraged some custom tools for network reconnaissance. The first tool is called Netping – it’s a simple scanner capable of collecting information about alive hosts in the network and saving it into a text file, the other tool, Protoping, to collect information about available network shares.
Built-in tools were also abused. For example, adversary used net view command to collect information about the hosts in the network and nltest utility to collect information about the compromised domain.
It’s interesting to notice that in order to move laterally from machine to machine, the threat actors are using Remote Desktop. Unencrypted data is harvested while moving through an unencrypted network and then sent to remote servers that are controlled by the attackers. The data can later be used as part of a double-extortion strategy
Finally, the attack concludes with the attackers deploying the ransomware executable via PsExec to encrypt devices on the network.
Why Is the Partnership Between Cuba Ransomware and Hancitor Important?
Cuba Ransomware was launched in 2019, and since then it has not been particularly active in comparison to other operations, like REvil, Avaddon, Conti, and DoppelPaymer.
Specialists believe that now, having their attacks fueled by spam campaigns, we could expect to see an increase in the number of victims soon.
Heimdal™ Ransomware Encryption Protection
- Blocks any unauthorized encryption attempts;
- Detects ransomware regardless of signature;
- Universal compatibility with any cybersecurity solution;
- Full audit trail with stunning graphics;
As for the origin of the Cuba Ransomware, a report created by the cybersecurity firm Profero believes that they are based out of Russia, researchers stating this based on the fact that the Russian language was found on the gang’s data leak site.