HomesecurityCollaboration of Cuba ransomware with Hancitor malware for spam attacks

Collaboration of Cuba ransomware with Hancitor malware for spam attacks

Cuba Ransomware gang teamed up with Hancitor malware operators to gain easier access to corrupt corporate networks.

Cuba ransomware Hancitor malware

See also: QNAP warns of AgeLocker ransomware attacks on NAS devices

The Hancitor download program has been running since 2016 when Zscaler spotted it distributing Trojan Vawtrak which steals information. Since then, over the years many campaigns have been identified where Hancitor installs password-stealers, such as Pony, Ficker and most recently, Cobalt Strike.

Hancitor is usually distributed through malicious spam campaigns pretending to be DocuSign invoices, as you can see below.

When a recipient clicks on the "Sign document" link, they will download a malicious Word document that tries to persuade the target to disable protection.

Once the protections are disabled, the malicious macros will be activated to download and install the Hancitor download program.

See also: Babuk ransomware gang stops its "business"!

Just as Ryuk and Conti partnered with TrickBot and Egregor and ProLock partnered with QBot, so did Cuba Ransomware with Hancitor to gain access to compromised networks.

Cooperation can accelerate attacks

Since its release in late 2019, Cuba Ransomware has not been very active compared to other ransomware companies such as REvil, Avaddon, Conti and DoppelPaymer.

His most notorious attack was on the ATFS, a widely used payment processor for local and state governments.

Since his attacks are now fueled by spam campaigns, we are expected to see an increase in casualties soon.

See also: Brazil: REvil ransomware targets Rio Grande do Sul judicial system

It should also be noted that while Cuba Ransomware uses a photo of Fidel Castro and takes its name from the country Cuba, its operators are in Russia, reports the cyber security company Profero. This is a conclusion made by Profero because it found the Russian language on the gang's data leak site.

Source of information:

Teo Ehc
Be the limited edition.