Industry: Critical Infrastructure | Level: Tactical | Source: FBI
The FBI released a flash report for Cuba ransomware based on tracking since November 2021, has compromised 49 entities across various critical infrastructure sectors, including but not limited to, financial, government, healthcare, manufacturing, and information technology. Hancitor malware is identified as the initial infection vector that leads to the Cuba ransomware. Threat actors utilize phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, and RDP tools to gain initial access. Many legitimate Windows services are employed by the threat actors as well such as PowerShell, PsExec, in addition to leveraging Windows Admin privileges to execute their ransomware.
- Anvilogic Scenario: Hancitor & Cuba Ransomware
- Anvilogic Use Cases:
- Executable Process from Suspicious Folder
- PSexec Service Creation
- Remote Admin Tools