In the latest #StopRansomware effort of publicizing ransomware information for network defenders, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint Cybersecurity Advisory (CSA) on the ransomware known as “Cuba.” Though named “Cuba,” the ransomware and its operators have no known link to the country. The recent advisory is reportedly an update from an FBI Flash notice on December 2021. As such, updated tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) are included in this advisory.
Since the aforementioned FBI Flash notice, CISA and the FBI have noted that US-based organizations victimized by Cuba ransomware have doubled. Third-party and open-source reports have also discovered a possible connection between Cuba ransomware actors, RomCom RAT (remote access Trojan) actors, and Industrial Spy ransomware actors.
Cuba ransomware 101
Despite its name, threat actors behind Cuba ransomware haven’t indicated a connection or affiliation with the Republic of Cuba.
Cuba ransomware is a Windows malware written in C++ that surfaced in late 2019. Like other ransomware groups, its threat actors use double extortion tactics, predominantly targeting organizations in the US in five critical infrastructure sectors: critical manufacturing, financial services, government facilities, healthcare and public health, and information technology. All stolen sensitive information is posted to their leak site, accessible only via Tor, the online tool that allows for anonymous browsing and internet connections.
This ransomware arrives on target networks via spam campaigns, meaning emails are sent out to organizations with no particular target. In more recent campaigns, the Cuba ransomware has been seen being dropped by the malware downloader Hancitor (also known as Chancitor).
The spam email contains a download link where a Word document with malicious macros can be downloaded and opened. If users enable the macro when prompted, this document extracts and executes Hancitor. This malware then communicates with its command-and-control (C2) server to download several tools, facilitate lateral movement, and extract data.
It then drops and installs Cuba ransomware using PowerShell or PsExec.
Cuba ransomware has already been involved in several noteworthy attacks. In February 2021, it hit the widely used payment processor Automatic Funds Transfer Services (AFTS), affecting cities and agencies in Washington and California. In October 2022, Cuba ransomware threat actors impersonated the press office of the General Staff of the Armed Forces of Ukraine in a phishing campaign. According to Profero, a company specializing in rapid incident response involved in negotiations between Cuba ransomware victims and attackers, the threat actors speak Russian.
Mitigating Cuba ransomware attacks
CISA and the FBI issued mitigations for network defenders to follow to reduce attack risks from Cuba ransomware. Some of these are as follows:
- Create and implement a recovery plan (if you don’t have one yet) to maintain and retain copies of pertinent and proprietary data.
- All accounts that use passwords must at least comply with National Institute for Standards and Technology (NIST) standards.
- Enable multi-factor authentication (MFA) on all accounts, especially those that access critical systems.
- Ensure all software you use are updated to their latest versions and fully patched.
- Audit accounts, paying particular attention to those with administrator privileges, and configure control accordingly.
You can read the complete and detailed list of recommended mitigations on this page. Various IOCs (associated files, email addresses, a Jabber address, IP addresses, Bitcoin wallets, and ransom notes) and MITRE ATT&CK techniques are also found on that page.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.