Executive Summary

Cuba ransomware first appeared in 2019 but remained relatively unnoticed until November 2021, when they reportedly targeted a minimum of 49 organizations across various sectors. The sectors included government, healthcare, information technology, manufacturing, and finance. During this time, Cuba ransomware operators were infiltrating networks by encrypting files using the “.cuba” extension. Over the years, the ransom demands from Cuba totals at least $145 million, and the group has successfully collected at least $60 million in ransom payments.

By 2022, the threat actors had expanded their tactics, techniques, and procedures (TTPs), leading security researchers to suggest a potential connection between Cuba ransomware actors, RomCom Remote Access Trojan (RAT) actors, and Industrial Spy ransomware actors. This month, Cuba garnered attention when they took responsibility for a cyberattack on The Philadelphia Inquirer. The purported attack resulted in temporary disruptions to the newspaper's distribution and certain business operations. As we delve into Cuba's latest attacks, tactics, and techniques, it is important to assess how ransomware can disrupt business operations.

tir snapshot

  • In 2021, the FBI reported that Cuba successfully targeted a minimum of 49 entities across critical infrastructure sectors, including finance, government, healthcare, manufacturing, and information technology.
  • The ransomware was being distributed through Hancitor malware - a loader known for deploying stealers like Remote Access Trojans (RATs) and various types of ransomware onto victims' networks. In October 2022, Cuba targeted the Ukrainian government by sending its members spoofed phishing emails that appeared  to be sent from the 'Press Service of the General Staff of the Armed Forces of Ukraine'.
  • In January 2023, Microsoft stated that Cuba ransomware operators were infiltrating unpatched Microsoft Exchange servers via a critical server-side request forgery (SSRF) vulnerability (CVE-2022-41080).
  • In May 2023, Cuba ransomware took credit for the recent cyber-attack on the Philadelphia Inquirer, causing a temporary disruption in the newspaper's distribution and impacting certain business activities.
  • In December 2021, the FBI reported on Cuba's tactics and techniques. To gain initial access to organizations in critical infrastructure sectors, Cuba leveraged the following techniques: legitimate remote desktop protocol (RDP) tools, compromised credentials, phishing campaigns, and exploiting known vulnerabilities in commercial software.
  • However, since the spring of 2022, Cuba's operators have modified their tactics and techniques, as well as their tools.
  • A ransomware attack can cause significant harm to an organization or business
  • The best way to get ahead of a ransomware attack is to be proactive, utilizing ransomware best practices to protect against the threat.

 

 

cuba ransomware attacks

 

BREACHED 49 ORGANIZATIONS

In December 2021, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency issued a joint advisory regarding Cuba ransomware. According to the advisory, the group successfully targeted a minimum of 49 entities across critical infrastructure sectors, including finance, government, healthcare, manufacturing, and information technology.

Cuba ransomware was being distributed through Hancitor malware, a loader known for deploying stealers like Remote Access Trojans (RATs) and various types of ransomware onto victims' networks. The actors behind Hancitor used phishing emails, exploit Microsoft Exchange vulnerabilities, compromised credentials, or used legitimate Remote Desktop Protocol (RDP) tools to gain initial access to the victim's network.

Once inside, the ransomware actors utilized legitimate Windows services, including PowerShell, PsExec, and other unspecified services, along with Windows Admin privileges, to execute their ransomware and other processes remotely. The compromise of a victim network was achieved through the encryption of targeted files, with the ".cuba" extension.

 

UKRAINIAN AND CHILEAN GOVERNMENT

In October 2022, the Ukrainian authorities warned about a new ransomware group that was targeting organizations in the country. The unknown group was actually Cuba, and they were sending members of the Ukrainian government spoofed phishing emails that appeared to be sent from the “Press Service of the General Staff of the Armed Forces of Ukraine”. When recipients fell for the scam and clicked on the link provided in the email, they were directed to a webpage where they were encouraged to download a new version of PDF Reader. Unfortunately, this action triggered the execution of a malicious executable.

Running the mentioned file decoded and executed the 'rmtpak.dll' file, which was identified as RomCom malware. Palo Alto Networks originally discovered RomCom in August 2022. Their research connected this remote access Trojan (RAT) to a newly associated Cuba ransomware affiliate called "Tropical Scorpius”, confirming that Cuba allows threat actors to carry out various post-intrusion activities, including data exfiltration. Tropical Scorpius played a significant role in Cuba ransomware infections, accounting for almost half of the victims listed on the group's leak site from 2019 to the summer of 2022.

Palo Alto reported that Cuba ransomware successfully targeted 27 more organizations, including sectors like state and local government, transportation and logistics, utilities and energy, education, healthcare, and others. This information suggests that Cuba's operations in Ukraine were mainly driven by financial motives, rather than being coordinated with the objectives of the Russian state.

The Chilean government also became a victim of Cuba ransomware in 2022. The government’s Microsoft and VMware ESXi servers were targeted by the group. After encrypting the servers and renaming all files with “.crypt”, the group took complete control of the victim’s system and left a ransom note behind with a way to contact them.

 

MICROSOFT EXCHANGE VULNERABILITIES

In January 2023, in a private threat analytics report, Microsoft stated that Cuba ransomware operators were infiltrating unpatched Microsoft Exchange servers via a critical server-side request forgery (SSRF) vulnerability. The vulnerability was tracked as CVE-2022-41080 and was also used by Play ransomware.

Rackspace, a cloud computing provider, verified that Play ransomware successfully exploited CVE-2022-41080, compromising servers on Rackspace’s network by bypassing ProxyNotShell URL rewrite mitigations. The flaw was initially abused by the ransomware group in late November 2022. Although Microsoft released security updates on November 8, 2022, to resolve the SSRF Exchange vulnerability, and shared information with some customers regarding its exploitation by ransomware groups, the official advisory was not updated to clearly warn about active exploitation in the wild.

 

PHILADELPHIA INQUIRER

In May 2023, Cuba ransomware took credit for the recent cyber-attack on The Philadelphia Inquirer, causing a temporary disruption in the newspaper's distribution and impacting certain business activities. The breach was disclosed on May 14, 2023, and The Inquirer was forced to take its systems offline. The attack disrupted the distribution of The Inquirer's Sunday newspaper, making the disruption the most significant since the Blizzard of 1996.

 

Image 1: Cuba Publishes Stolen Files

Cuba Publishes Stolen FilesSource: Gridinsoft

 

Although the Inquirer’s CEO, Lisa Hughes, stated that they have not seen evidence of The Inquirer’s data being shared online, Cuba claimed the cyber attack on their extortion site and the newspaper’s data was allegedly officially released by the gang. The data included source code, financial documents, account movements, tax documents, and more. However, the group has since removed the listed data, which could mean two things: they initiated negotiations and paid the ransom, or the leaked files didn’t belong to the victim. Brett Callow, a threat analyst at Emsisoft, stated that it’s too early to determine the exact reason why Cuba chose to remove the listing from the extortion site.

 

 

TACTICS AND TECHNIQUES

First observed in late 2019, Cuba ransomware is a file-encrypting ransomware that is typically distributed through Hancitor. It is notorious for adding the ".cuba" extension to the encrypted files. According to the FBI, since 2021, Cuba ransomware operators have demanded a minimum of $145 million in ransom payments and it is estimated that they may have already received over [1]$60 million from their victims. The gang has compromised 101 entities, 65 being within the United States and 36 outside the United States.

[1] aa22-335a-stopransomware-cuba-ransomware.pdf (cisa.gov)

 

2021

In December 2021, the FBI reported on Cuba’s tactics and techniques. To gain initial access to organizations in critical infrastructure sectors, Cuba leveraged the following techniques: legitimate remote desktop protocol (RDP) tools, compromised credentials, phishing campaigns, and exploiting known vulnerabilities in commercial software.

Upon compromise, Cuba installed and executed a Cobalt Strike beacon-as-a-service on the victim’s network via PowerShell. Once installed, the ransomware downloaded two executable files, which included “pones.exe” for password acquisition and “krots.exe,” also known as KPOT, enabling the Cuba ransomware actors to write to the compromised system’s temporary (TMP) file. Once the TMP file was uploaded, the “krots.exe” file was deleted and the TMP file was executed in the compromised network.

The TMP file included Application Programming Interface (API) calls related to memory injection that, once executed, deleted itself from the system. Upon deletion of the TMP file, the compromised network communicated with a malware repository located at Montenegro-based Uniform Resource Locator (URL) teoresp[.]com.

Additionally, Cuba ransomware actors used MimiKatz malware to steal credentials, and then used RDP to log into the compromised network host with a specific user account. Once the RDP connection was complete, Cuba used the Cobalt Strike server to communicate with the compromised user account. One of the initial PowerShell script functions allocated memory space to run a base64-encoded payload.

Once this payload was loaded into memory, it was used to reach the remote command-and-control (C2) server and then deployed the next stage of files for the ransomware. The remote C2 server is located at the malicious URL kurvalarva[.]com.

 

2022

However, since the spring of 2022, Cuba’s operators have modified their tactics and techniques, as well as their tools. According to Palo Alto Networks, Cuba has exploited known vulnerabilities and weaknesses, using various tools to escalate privileges on compromised systems:

  • Exploited CVE-2022-24521 within the Windows Common Log File System (CLFS) driver to steal system tokens and escalate their privileges.
  • Utilized a PowerShell script to identify and target service accounts, focusing on their corresponding Active Directory Kerberos tickets. Subsequently, the actors gathered and decrypted the Kerberos tickets offline using Kerberoasting.
  • Employed a tool named KerberCache to extract cached Kerberos tickets from the Local Security Authority Server Service (LSASS) memory of a host.
  • The threat actors also used a specialized tool to exploit CVE-2020-1472, commonly referred to as "ZeroLogon," in order to gain Domain Administrative privileges. The tool, along with its associated intrusion attempts, is linked to the activities of Hancitor and Qbot.

Palo Alto Networks also stated that Cuba uses specific tools to evade detection as they move laterally through compromised environments before ultimately executing the ransomware. The threat actors utilize a dropper that generates a kernel driver named ApcHelper.sys, which is designed to target and terminate security products. Although the dropper itself is unsigned, the kernel driver is signed using the certificate obtained from the LAPSUS NVIDIA leak. Cuba also uses double extortion, demanding a ransom payment in exchange for data decryption. They also threaten to publicly disclose stolen data in the ransom is not paid.

 

 

ransomware disrupts business operations

A ransomware attack can cause significant harm to an organization or business. In addition to lost work time, a ransomware attack can cause an organization reputational damage, as well as legal and regulatory penalties for failing to protect data. What most organizations fail to realize is that by the time ransomware begins encrypting files, the damage has already been done.

Unless an organization can fully recover its files from backups, there will be some data loss, even if a ransom is paid. Additionally, modern ransomware often steals and sends out data before encrypting it, indicating that the company may have already experienced a data breach. The best way to get ahead of a ransomware attack is to be proactive, utilizing ransomware best practices to protect against the threat:

  • Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • DLP (Data Loss Prevention) solutions should be implemented on all employee systems.
  • Block URLS that may spread malware.
  • Don’t open untrusted links and email attachments without verifying their authenticity.
  • Use strong passwords and multi-factor authentication.
  • Use antivirus and internet security software on your devices.
  • Monito the beacon networks to block data exfiltration malware or TAs.
  • Educate employees on threats like phishing and provide the proper training they need to recognize phishing attempts.

 

 

MITRE MAP

Cuba MITRE Map

 

 

avertium's recommendations

Avertium and the FBI recommend that network defenders apply the following mitigations to reduce the risk of compromise by Cuba ransomware:

  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.
    • Note: Devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each individual administrative account.
  • Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
  • Remove unnecessary access to administrative shares, especially ADMIN$ and C$.
    • If ADMIN$ and C$ are deemed operationally necessary, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity.
  • Use a host-based firewall to only allow connections to administrative shares via server message block (SMB) from a limited set of administrator machines.

 

 

how avertium is protecting our customers

  • Avertium offers user awareness training through KnowBe4. The service also includes Incident Response Table-Top exercises (IR TTX) and Core Security Document development, as well as a comprehensive new-school approach that integrates baseline testing using mock attacks.
  • Avertium offers Zero Trust Network as a Service (ZTNaaS) for any organization that wants to control their attack surface. The zero-trust security model delivers exactly what the name promises: it is an IT security concept that specifies no access is allowed until the successful completion of authentication and authorization processes. 
  • Avertium offers Vulnerability Management VM to provide a deeper understanding and control over organizational information security risks. If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.
  • Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior.
 
 
 
INDICATORS OF COMPROMISE (IoCS)
 

IP Addresses

  • 37[.]120[.]193[.]123
  • 40[.]115[.]162[.]72
  • 157[.]245[.]70[.]127
  • 31[.]44[.]184[.]82
  • 185[.]153[.]199[.]176

Bitcoin Wallets

  • bc1qvpk8ksl3my6kjezjss9p28cqj4dmpmmjx5yl3y
  • bc1qhtwfcysclc7pck2y3vmjtpzkaezhcm6perc99x
  • bc1qft3s53ur5uq5ru6sl3zyr247dpr55mnggwucd3
  • bc1qp7h9fszlqxjwyfhv0upparnsgx56x7v7wfx4x7

Email Addresses

  • Protonmail ad_default@protonmail[.]com
  • admansmit001@protonmail[.]com
  • afts_agent@protonmail[.]com
  • helpadmin1@protonmail[.]com
  • helpallen@protonmail[.]com
  • helpallen@protonmail[.]com
  • mail_supportRG@protonmail[.]com
  • roselondon@protonmail[.]com
  • system_admC@protonmail[.]com
  • Protonmail.ch dark_sysadmin@protonmail[.]ch
  • iracomp1@protonmail[.]ch
  • iracomp3@protonmail[.[ch
  • LR_FWS_H2M_ET@protonmail[.]ch
  • under_amur@protonmail[.]ch

SHA256 - File Hashes

  • f1103e627311e73d5f29e877243e7ca203292f9419303c661aec57745eb4f26c
  • a7c207b9b83648f69d6387780b1168e2f1eabd23ae6e162dd700ae8112f8b96c
  • 141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944
  • 02a733920c7e69469164316e3e96850d55fca9f5f9d19a241fad906466ec8ae8
  • 0cf6399db55d40bc790a399c6bbded375f5a278dc57a143e4b21ea3f402f551f
  • f5db51115fa0c910262828d0943171d640b4748e51c9a140d06ea81ae6ea1710
  • 857f28b8fe31cf5db6d45d909547b151a66532951f26cda5f3320d2d4461b583
  • 08eb4366fc0722696edb03981f00778701266a2e57c40cd2e9d765bf8b0a34d0
  • 88d13669a994d2e04ec0a9940f07ab8aab8563eb845a9c13f2b0fec497df5b17
  • 0f385cc69a93abeaf84994e7887cb173e889d309a515b55b2205805bdfe468a3
  • 0d5e3483299242bf504bd3780487f66f2ec4f48a7b38baa 6c6bc8ba16e4fb605
  • 7e00bfb622072f53733074795ab581cf6d1a8b4fc269a50 919dda6350209913c
  • af4523186fe4a5e2833bbbe14939d8c3bd352a47a2f7759 2d8adcb569621ce02
  • 3d4502066a338e19df58aa4936c37427feecce9ab8d43a bff4a7367643ae39ce
  • 1817cc163482eb21308adbd43fb6be57fcb5ff11fd74b344 469190bb48d8163b

MD5 – Hashes

  • 4c32ef0836a0af7025e97c6253054bca
  • 03c835b684b21ded9a4ab285e4f686a3
  • 236f5de8620a6255f9003d054f08574b

 

Related Resource:

 

 

SUPPORTING DOCUMENTATION

Ukraine Warns of Cuba Ransomware Attacks - Infosecurity Magazine (infosecurity-magazine.com)

Microsoft Word - Cuba Ransomware FLASH NOV11292021(1) (ic3.gov)

FBI: Cuba ransomware raked in $60 million from over 100 victims (bleepingcomputer.com)

Novel News on Cuba Ransomware: Greetings From Tropical Scorpius (paloaltonetworks.com)

CERT-UA

Unit 42 (paloaltonetworks.com)

Chile and Montenegro Floored by Ransomware - Infosecurity Magazine (infosecurity-magazine.com)

Microsoft: Cuba ransomware hacking Exchange servers via OWASSRF flaw (bleepingcomputer.com)

CVE-2022-41080 - Security Update Guide - Microsoft - Microsoft Exchange Server Elevation of Privilege Vulnerability

Philadelphia Inquirer is Struck by Cuba Ransomware – Blogs (gridinsoft.com)

Novel News on Cuba Ransomware: Greetings From Tropical Scorpius (paloaltonetworks.com)

Philly Inquirer disputes Cuba ransomware gang's leak claims • The Register

FBI Warns of Cuba Ransomware Attacks on Critical Infrastructure - SecurityWeek

Cuba Ransomware Group’s New Variant Found Using Optimized Infection Techniques (trendmicro.com)

Signed driver malware moves up the software trust chain – Sophos News

Healthcare Sector Warned About Cuba Ransomware Attacks (hipaajournal.com)

Cuba Ransomware gang hacking Microsoft Exchange Servers - Cybersecurity Insiders (cybersecurity-insiders.com)

Cuba ransomware claims cyberattack on Philadelphia Inquirer (bleepingcomputer.com)

aa22-335a-stopransomware-cuba-ransomware.pdf (cisa.gov)

How Should Companies Handle Ransomware? - Check Point Software

Cuba Ransomware Group’s New Variant Found Using Optimized Infection Techniques (trendmicro.com)

CISA Alert AA22-335A: Cuba Ransomware Analysis, Simulation, TTPs & IOCs (picussecurity.com)

FBI: Cuba ransomware breached 49 US critical infrastructure orgs (bleepingcomputer.com)

 

APPENDIX II: Disclaimer

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.

 

COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.
Chat With One of Our Experts



Threat Report ransomware Ransomware gang Ransomware Groups Cuba Ransomware Blog