Cuba Ransomware gang teamed up with Hancitor malware operators to gain easier access to corrupt corporate networks.
The Hancitor download program has been running since 2016 when Zscaler spotted it distributing Trojan Vawtrak which steals information. Since then, over the years many campaigns have been identified where Hancitor installs password-stealers, such as Pony, Ficker and most recently, Cobalt Strike.
Hancitor is usually distributed through malicious spam campaigns pretending to be DocuSign invoices, as you can see below.
When a recipient clicks on the "Sign document" link, they will download a malicious Word document that tries to persuade the target to disable protection.
Once the protections are disabled, the malicious macros will be activated to download and install the Hancitor download program.
Just as Ryuk and Conti partnered with TrickBot and Egregor and ProLock partnered with QBot, so did Cuba Ransomware with Hancitor to gain access to compromised networks.
Cooperation can accelerate attacks
Since its release in late 2019, Cuba Ransomware has not been very active compared to other ransomware companies such as REvil, Avaddon, Conti and DoppelPaymer.
His most notorious attack was on the ATFS, a widely used payment processor for local and state governments.
Since his attacks are now fueled by spam campaigns, we are expected to see an increase in casualties soon.
It should also be noted that while Cuba Ransomware uses a photo of Fidel Castro and takes its name from the country Cuba, its operators are in Russia, reports the cyber security company Profero. This is a conclusion made by Profero because it found the Russian language on the gang's data leak site.
Source of information: bleepingcomputer.com