Cuba ransomware delivered via Hancitor
Cuba ransomware is
delivered on victims' networks through the Hancitor malware downloader, which allows the ransomware gang to gain easier access to previously compromised corporate networks.
Hancitor (Chancitor) is known for delivering information stealers, Remote Access Trojans (RATs), and other types of ransomware.
Zscaler spotted it distributing the Vawtrak information-stealing trojan. Since then, it switched to password-stealers, including
Pony and Ficker, and, more recently, Cobalt Strike.
For initial compromise of their victims' systems, Hancitor uses phishing emails and stolen credentials, exploits Microsoft Exchange vulnerabilities, or break-in via Remote Desktop Protocol (RDP) tools.
Once in using the access provided by Hancitor, Cuba ransomware operators will use legitimate Windows services (e.g., PowerShell, PsExec, and various other unspecified services) to deploy their ransomware payloads remotely and encrypt files using the ".cuba" extension.
