The Cuba ransomware, active since early 2020, is now being distributed through the Hancitor malware according to a report released today by Group-IB. Hancitor is a loader type malware that has been known to drop stealers, RATs and even other ransomware recently. Cuba ransomware operates a leak site for stolen data, much like the other, more well-known ransom groups. The report by Group-IB mentions nine victims currently listed as of April 28th, so the actors behind the ransomware may be hoping to increase their infection rate through this new partnership with Hancitor. The actors behind the ransomware appear to be using Cobalt Strike and PsExec before deploying the actual ransomware payload, similar to many other ransomware groups.
Detecting Cobalt Strike beacons in your environment is becoming critical in detecting infections before they become full ransomware deployments. Binary Defense recommends utilizing services like Threat Hunting or a 24/7 SOC such as our own Security Operations Task Force to quickly find and react to threats on your network. Binary Defense also highly recommends reading an implementing steps from the CISA (Cybersecurity & Infrastructure Agency) and NCSC (National Cyber Security Centre) ransomware guides. The guides contain detailed information that any organization can use, describing in detail how to backup and protect data, create incident response plans and more.