Security News > 2021 > May > Cuba Ransomware partners with Hancitor for spam-fueled attacks

The Cuba Ransomware gang has teamed up with the spam operators of the Hancitor malware to gain easier access to compromised corporate networks.
Similar to how Ryuk and Conti partnered with TrickBot and Egregor and ProLock worked with QBot, the Cuba Ransomware has partnered with Hancitor to gain access to compromised networks.
Ransomware gangs commonly use cracked versions of Cobalt Strike as part of their attacks to gain a foothold and spread laterally throughout a network.
After the Cobalt Strike beacons are deployed, Group-IB researchers say the threat actors use this remote access to gather network credentials, domain information, and spread throughout the network.
"The Beacon's capabilities were also used to scan the compromised network. In addition, the group leveraged some custom tools for network reconnaissance. The first tool is called Netping - it's a simple scanner capable of collecting information about alive hosts in the network and saving it into a text file, the other tool, Protoping, to collect information about available network shares."
When the actors finally gain access to a domain admin's credentials, they deploy the ransomware executable via PsExec to encrypt devices on the network.
News URL
Related news
- US indicts 8Base ransomware operators for Phobos encryption attacks (source)
- RA World Ransomware Attack in South Asia Links to Chinese Espionage Toolset (source)
- Chinese espionage tools deployed in RA World ransomware attack (source)
- Lee Enterprises newspaper disruptions caused by ransomware attack (source)
- Southern Water says Black Basta ransomware attack cost £4.5M in expenses (source)
- Qilin ransomware claims attack at Lee Enterprises, leaks stolen data (source)
- Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks (source)
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- Hunters International ransomware claims attack on Tata Technologies (source)
- Toronto Zoo shares update on last year's ransomware attack (source)