"Hackers Behind Cuba Ransomware Attacks Using New RAT Malware"

Threat actors linked to the Cuba ransomware have previously unknown tactics, techniques, and procedures (TTPs), including a new Remote Access Trojan (RAT) called ROMCOM RAT on compromised systems. New information comes from Palo Alto Networks' Unit 42 threat intelligence team, which is tracking the double extortion ransomware group under Tropical Scorpius. Cuba ransomware, also known as COLDDRAW, was first discovered in December 2019, reappeared in November 2021, and has been linked to attacks on 60 entities across five critical infrastructure sectors, collecting at least $43.9 million in ransom payments. Its data leak site lists 60 victims, 40 of which are located in the US, indicating a less global distribution of targeted organizations than other ransomware gangs. According to a December 2021 alert from the US Federal Bureau of Investigation (FBI), Cuba ransomware is distributed via Hancitor malware, a loader known for dropping or executing stealers such as RATs and other types of ransomware onto victims' networks. To gain initial access to a victim's network, Hancitor malware actors use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools. According to Trend Micro, the ransomware operation has been upgraded in the intervening months to optimize its execution, minimize unintended system behavior, and provide technical support to ransomware victims who choose to negotiate. This article continues to discuss new findings surrounding the hackers behind Cuba ransomware attacks. 

THN reports "Hackers Behind Cuba Ransomware Attacks Using New RAT Malware"