Security News > 2021 > May > Cuba Ransomware partners with Hancitor for spam-fueled attacks

The Cuba Ransomware gang has teamed up with the spam operators of the Hancitor malware to gain easier access to compromised corporate networks.

Similar to how Ryuk and Conti partnered with TrickBot and Egregor and ProLock worked with QBot, the Cuba Ransomware has partnered with Hancitor to gain access to compromised networks.

Ransomware gangs commonly use cracked versions of Cobalt Strike as part of their attacks to gain a foothold and spread laterally throughout a network.

After the Cobalt Strike beacons are deployed, Group-IB researchers say the threat actors use this remote access to gather network credentials, domain information, and spread throughout the network.

"The Beacon's capabilities were also used to scan the compromised network. In addition, the group leveraged some custom tools for network reconnaissance. The first tool is called Netping - it's a simple scanner capable of collecting information about alive hosts in the network and saving it into a text file, the other tool, Protoping, to collect information about available network shares."

When the actors finally gain access to a domain admin's credentials, they deploy the ransomware executable via PsExec to encrypt devices on the network.

News URL

https://www.bleepingcomputer.com/news/security/cuba-ransomware-partners-with-hancitor-for-spam-fueled-attacks/