Security News > 2021 > December > Cuba ransomware gang scores almost $44m in ransom payments across 49 orgs, say Feds

The US Federal Bureau of Investigation says 49 organisations, including some in government, were hit by Cuba ransomware as of early November this year.

The ransomware gang's loader of choice, Hancitor, was the culprit, distributed via phishing emails, or via exploit of Microsoft Exchange vulnerabilities, compromised credentials, or Remote Desktop Protocol tools.

Then: voila - infected networks were communicating with a Montenegro-based malware repository URL. The gang also used red-teaming tool/malware Mimikatz to harvest access credentials from memory, then used RDP to log in masquerading as a specific user account - meaning the miscreants could use the CobaltStrike server to communicate with the compromised user account.

The payload reached the remote command-and-control server where it can deploy the next stage of ransomware files.

"The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file," said the intelligence bureau.

The Cuba group typically threatens to post sensitive files on the dark web if companies refuse the ransom.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/12/06/cuba_ransomware_gang_scores_almost/