Using a new remote access trojan, threat actors behind the Cuba ransomware have amassed ransom payments estimated to be close to $44 million.

Over the past five years, countless headlines have been generated by the damage caused by ransomware attacks. Not only do they compromise access to your organization’s data, but they also have the potential to inflict painful financial damage. To make matters worse, these attacks are evolving to become more powerful and harder to prevent. In fact, on many occasions (and as we’ll see with the Cuba ransomware) these evolutions will take place over a matter of months.

Ransomware, therefore, is a very real threat to your organization’s IT network, so it’s important that you understand exactly how the Cuba ransomware operates.

What is the Cuba Ransomware?

Cuba was first detected in late 2019 before disappearing from the frontline and returning two years later in November 2021. Evidence of the Cuba ransomware has been detected in around 60 ransomware attacks, with 40 of these victims revealed to be US-based. Cuba is delivered to PCs through the Hancitor loader, a type of malware which is used to download and execute additional malware e.g. remote access trojans. Hancitor makes its way onto PCs through a variety of means such as phishing emails, stolen login credentials and software vulnerabilities.

Since Cuba first emerged onto the digital landscape, it has undergone a series of significant changes. The most notable changes have seen it terminating more processes before it locks files, widening the range of file types it encrypts and, believe it or not, enhancing its support options for victims wanting to pay. Cuba has also been observed operating a backdoor trojan called ROMCOM RAT, a piece of malware which deletes files and logs data to a remote server.

Protecting Yourself Against the Cuba Ransomware

With Cuba collecting ransom payments of over $40 million, it’s clear to see Cuba is a dangerously effective threat. It’s also important to point out there is currently no known decryption tool available to combat Cuba’s encryption methods. Accordingly, you need to be on your guard against this threat and any similar attacks. Therefore, make sure you practice the following:

  • Install updates: Cuba has the power to exploit software vulnerabilities to gain unauthorized access to computer networks, so it’s crucial that you always install updates as soon as possible. The install process for updates can feel time consuming, but when you have the option to automate these installations, there’s no reason this shouldn’t take place.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


The Hello XD ransomware was first spotted in the digital wild back in November 2021, but recent research indicates that it’s becoming more virulent.

There’s no such as ‘good’ ransomware, but it’s not unreasonable to describe Hello XD as ‘disastrous’ due to its enhanced capabilities. Whereas, previously, Hello XD focused its efforts on the standard ransomware practice of encrypting files, its evolved form now includes a backdoor feature. This enhanced functionality allows the transfer of data from infected PCs to external sources. Combined with its ransomware feature, this new form of Hello XD represents a huge security risk.

Ransomware is a highly problematic attack, and it’s one which your organization needs to avoid at all costs. Hello XD is the latest in a long line of ransomware attacks and, as ever, it could save you a fortune by understanding how it operates.

Hello XD Steps Up Its Game

Spread through various phishing techniques, Hello XD operates in the following manner once it arrives on a PC:

  • Hello XD’s first step is to disable shadow copy capabilities, this means that system snapshots cannot be saved or accessed. System recovery, therefore, can’t be used to counter the impact of Hello XD.
  • The infected system’s hard drive is then encrypted by Hello XD, all files are encrypted with a .hello extension and rendered inaccessible.

Clearly, Hello XD packs a powerful punch and has the capability to bring your organizations IT operations to a halt. It is believed that Hello XD has been designed by X4K, a Russian-speaking hacker who has been advertising his wares on various hacking forums. It’s also likely that X4K will enhance Hello XD’s capabilities even further for future attacks, so it’s crucial you remain alert.

How Do You Say Goodbye to Hello XD?

The best way to avoid falling victim to Hello XD is by practicing the following:

  • Understand phishing techniques: Hello XD, and many other forms of ransomware, use phishing strategies such as mass emails to snare their victims. Emails, for example, which instill a sense of urgency over financial matters can be used to encourage users to open malicious attachments. However, if your employees understand the tell-tale signs of social engineering, they will be better placed to avoid falling victim to phishing attacks.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


British shoppers have been warned to expect some of their favorite snacks to be in short supply following a ransomware attack on a major manufacturer.

KP Snacks has been producing snacks in Britain since the 1850s, but this production has recently run into a major obstacle: ransomware. Cyber criminals have successfully launched a ransomware attack on KP Snacks, and its effects are running deep. Due to the impact of the ransomware on their IT infrastructures, KP Snacks has had to advise stores that delays in production are expected. As a result, British shoppers are likely to be facing empty shelves when they head out to pick up their favorite snacks.

Snack food may not be crucial to society, but the impacts of this hack demonstrate why organizations need to remain vigilant.

The Story Behind the Snack Attack

Following an unexplained outage of their IT systems, KP Snacks investigated and discovered that they had fallen victim to a strain of ransomware. The exact details of the ransomware in question has not, as of yet, been disclosed. However, rumors are circulating that the attack was launched by the WizardSpider group, a gang of hackers who attacked the Irish health service in 2021. It’s alleged, according to leaked sources, that KP Snacks was given five days to pay a ransom fee, but clarification on this is lacking.

The response of KP Snacks has been to launch a defensive strike against the attack. Being a major organization, the snack makers had a cybersecurity response plan which was quickly put into action. Third-party security experts have also been drafted in to complete a forensic analysis of the firm’s IT infrastructure. Nonetheless, the disruption to productivity has hit KP Snacks hard. As well as their IT systems being compromised, their communications systems have been hit equally hard. In modern business, these two elements are essential for operating and, as a result, supply shortages are expected.

Protecting Yourself Against Ransomware

While a shortage of snacks may sound like a mild inconvenience, this is only the tip of the iceberg. Not only is there a financial risk for KP Snacks, but the company’s employees can also expect financial ramifications e.g. delayed payments due to compromised IT systems and even the threat of redundancy. Naturally, this is a situation that no organization wants to find itself in, so make sure you always follow this advice:

  • Always Backup: the main impact of ransomware is that it encrypts files before demanding a ransom fee to decrypt them. However, you can minimize the impact of this effect by ensuring you have a strong backup strategy in place. This will provide you with access to your data and provide you with business continuity.
  • User Training: ransomware can be activated in a number of different ways such as infected emails, malicious links and running outdated software. Thankfully, shutting these attack routes down is relatively easy with the correct training. Therefore, regular staff training is vital when it comes to securing your IT defenses.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


Gaining access to an unauthorized network is every hacker’s dream. And, now, this is easier than ever thanks to the rise of initial access brokers.

Initial access brokers (IABs) are a relatively new trend in the world of hacking. These threats have been tracked for several years now, but they have yet to create major headlines. Nonetheless, they represent a major threat to your organization’s security. And the number of IABs operating online is rising. Therefore, it’s important that you understand what IABs are and the threat they represent. So, to help keep your organization safe, we’re going to look at IABs.

What is an IAB?

We’ve discussed ransomware in depth on numerous occasions, but we’re yet to touch upon the role of IABs when it comes to ransomware. The hard work, for a hacker, is breaking into a network. Most networks will have some level of security, so significant time needs to be invested to beat this. But what if there was someone you could go to for ready-made access? It would be a dream scenario for a hacker and it’s one which is provided by IABs.

Acting as a literal broker, IABs carry out extensive research on organizations to identify those that are considered vulnerable. Slowly, these IABs will build up a portfolio of vulnerable targets and details on how to gain access to their networks. This takes the hard work out of hacking for the hackers and ensures that, for a fee, details of vulnerable networks can be quickly obtained. The majority of these deals take place on the dark web with access details being sold to the highest bidder.

How Do You Avoid Becoming an IAB Listing?

IABs are not selective in the industries that they target and tend to scour all industries for potential victims. These threats are also unfolding on a global basis, but some research has shown that a third of IAB listings involve businesses located in the US. Accordingly, you will want to make sure you don’t find your organization having its vulnerabilities advertised as being for sale. And you can do this by taking note of the following:

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


Ransomware is a highly destructive form of malware, but it turns out that it can also provide the perfect cover for disk wiping malware.

The pitfalls of becoming a victim of ransomware are well documented. And, as such, the term ransomware is one that strikes fear into the heart of any PC user. But, at the very least, ransomware does give you an option of getting your files back. Naturally, you have to pay a ransom fee for the files to be decrypted, but you can get them back. However, a form of malware called Apostle has now been discovered which pretends to be ransomware when, in fact, it simply wipes your disk drive beyond retrieval.

Data is a crucial commodity in any organization, so it’s important you make it as secure as possible. And one of the perfect ways to do this is by understanding how Apostle works.

How Does Apostle Wipe Disks?

The Apostle malware is believed to originate from Iran and is related to a previous wiper malware called Deadwood. Apostle is not brand new as it has been in the digital wild for some time. But these initial versions of Apostle were flawed and failed to deliver their malicious payload. Since then, the designers of Apostle have tweaked its design to make it more effective. This contemporary version of Apostle presents itself as standard ransomware, but this is merely to throw the victims off guard; its true intent is to destroy data and cause disruption.

The hackers behind Apostle are particularly cunning and are also happy to take ransom payments while destroying the data in question. But this is not where the attack ends. There are signs that Apostle is being used in conjunction with a backdoor attack called IPSec Helper. This allows the hackers to download and execute additional malware and move, undetected, within infected networks. Again, the intention here is to cause disruption.

How Do You Stop Your Disk Being Wiped?

The focus of Apostle, so far, has been Israeli targets, but this does not mean it should be considered a low-level threat. The design of this disk wiper malware can easily be engineered into more virulent and dangerous forms. And this could easily strike at the heart of your business’ operations. Therefore, it’s crucial that you maintain the following practices:

  • Evaluate All Attachments Before Opening: It’s likely that you receive numerous email attachments through the day, but how often do you verify them before opening? Trusted email addresses can, very easily, be taken over or even replicated. And this provides the perfect route for infected files to be opened. So, if in doubt over whether an attachment is safe, always check with an IT professional before opening.
  • Keep Your Software Updated: Another sure-fire way for hackers to gain access to your network is through vulnerabilities caused by outdated software. The best way to counter this threat is by implementing software updates as soon as possible. This minimizes the presence of vulnerabilities and keeps hackers out.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More