Last Friday, the FBI released a new notice regarding the Cuba ransomware, stating that a threat group has attacked 49 entities spanning five different critical infrastructure sectors. The FBI also noted that the group has likely made at least $43.9 million in ransom payments. The threat group deploying the Hancitor malware is targeting enterprises in the financial, government, healthcare, manufacturing, and information technology sectors. The Hancitor malware is used to gain entry into Windows systems and is a loader known for dropping or executing Remote Access Trojans (RATs).

For initial compromise, Hancitor threat actors are using Microsoft Exchange vulnerabilities, compromised credentials, phishing emails, and Remote Desktop Protocol tools. The cybercrime group is also using legitimate Windows services, leveraging Windows Admin privileges to execute ransomware remotely. After a victim is compromised, the ransomware installs and executes a CobaltStrike beacon and downloads two executable files, which allow the attackers to acquire passwords. The group has operated a leak site since January, where it posts sensitive information collected in its ransomware attacks if companies refuse to pay ransom demands.

Read More: Cuba ransomware group hit 49 critical infrastructure organizations