VerSprite Cyberwatch: Latest Security News and Advisories

Daniel Stiegman, VerSprite Threat Intelligence Analyst, reacts to the recent FBI and CISA joint advisory on Cuba Ransomware:

The increase of enterprise-focused ransomware activities into 2020, has proved succesful for Threat Actors (TA).  "MAN1" aka "Moskalvzapoe" aka "TA511" has been the threat actor utilizing "Hancitor" as major e-crime groups have shifted away from normal banking trojan operations and moved towards ransom and data theft. This TA's activity has been active in the last year, doubling its victims, and has had a steady increase in its paying victims over that time. main target industries have been Finance, Government, Healthcare, Critical Infrastructure, and IT, while the earlier targets were aviation, financial, education, and manufacturing industries. The TA has acquired over $60 million in ransomware payments over this period. The campaign utilizes a Cuba Ransomware in their attacks, which is not an indicator of a relationship with the Nation/State of Cuba. The group deploys the ransomware by using a distribution tool of "Hancitor" (information stealer and malware downloader) that was typically distributed via spam campaigns. Such emails are disguised to look like DocuSign notifications. This campaign has used "ZeroLogon" as their exploit tool and leveraged a "dropper that writes a kernel driver to the file system called ApcHelper.sys. This targets and terminates security products." In the last 2 years, ransomware groups have found a benefit to evolve their attacks into "double extortion" (2nd Generation ransomware attacks) where the TA will encrypt the data, request a ransom, and threaten to post the stolen data if the target does not pay. Around May 2022, the TA began posting the data on Industrial Spy's online marketplace for sale.
Cuba ransomeware
The TA's TTPs include "copying legitimate HTML code of public-facing webpages, modifying the code, and then incorporating it in a spoofed domain." Their ransom notes state that the do through research on the target's "whole corporate network", encrypted the data, and give the target 3 days to pay, before making the information public. Their notes claim they are very professional, will operate in agreed terms of recovery, confidentiality and would supply evidence of the gained information.  TAs provides contact information and infrastructure for the victims to provide payment and continuous correspondence through a form of a PACE (Primary, Alternate, Contingency, Emergency) plan contact methodology. Link to the advisory

Contact us today to learn how you can better protect your organization.

Subscribe for Our Updates

Subscribe for Our Updates

Please enter your email address and receive the latest updates.