The historical partnerships among ransomware operators with other malware groups, such as Ryuk and Conti’s collaboration with TrickBot, have inspired some new groups to adopt the partner strategy. One such collaboration is that of Cuba ransomware with Hancitor that has been reported by the cybersecurity firm Group-IB.
According to the researchers, the recent ransomware campaigns using Hancitor have been attributed to a threat group named Balbesi.
- The attackers used malicious spam campaigns, in which they used decoy DocuSign invoices to distribute Hancitor malware.
- Malware actors drop Cobalt Strike beacons on infected computers to gather network credentials, domain information and spread Cuba ransomware throughout the network.
- The malicious campaign has affected organizations from various sectors, including financial, pharmaceutical, educational, industrial, professional services, and software development, focusing mainly on Europe and the U.S.
- The threat actors leverage a few custom tools for network reconnaissance. For e.g, it uses Netping to collect information about alive hosts in the network and to save it into a text file, and Protoping to collect information about available network shares.
- The lateral move is supported by RDP, and if the Cobalt Strike beacons were detected or blocked, additional backdoor malware such as Ficker stealer and SystemBC would have allowed the attackers to download and implement additional payloads.
- For the final device encryption on the network, the attackers deploy the ransomware executable via PsExec, after gaining access to a domain admin’s credentials.
- Last month, cybersecurity firm Profero revealed that the group is based out of Russia.
- In February, numerous U.S. cities and agencies had disclosed data breaches after a Cuba ransomware attack against the payment processor Automatic Funds Transfer Service (AFTS).
(Except for the headline, this story has not been edited by TTE staff and is published from a syndicated feed.)
About Author
