{"id":20741,"date":"2022-12-08T09:10:21","date_gmt":"2022-12-08T17:10:21","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/12\/08\/news-14474\/"},"modified":"2022-12-08T09:10:21","modified_gmt":"2022-12-08T17:10:21","slug":"news-14474","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/12\/08\/news-14474\/","title":{"rendered":"CISA and the FBI issue alert about Cuba ransomware"},"content":{"rendered":"

In the latest #StopRansomware effort of publicizing ransomware information for network defenders, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint Cybersecurity Advisory (CSA)<\/a> on the ransomware known as “Cuba.” Though named “Cuba,” the ransomware and its operators have no known link to the country. The recent advisory is reportedly an update from an FBI Flash notice on December 2021<\/a>. As such, updated tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) are included in this advisory.<\/p>\n

Since the aforementioned FBI Flash notice, CISA and the FBI have noted that US-based organizations victimized by Cuba ransomware have doubled. Third-party and open-source reports have also discovered a possible connection between Cuba ransomware actors, RomCom RAT (remote access Trojan)<\/a> actors, and Industrial Spy ransomware<\/a> actors. <\/p>\n

Cuba ransomware 101<\/h2>\n

Despite its name, threat actors behind Cuba ransomware haven’t indicated a connection or affiliation with the Republic of Cuba.<\/p>\n

Cuba ransomware is a Windows malware written in C++ that surfaced in late 2019<\/a>. Like other ransomware groups, its threat actors use double extortion tactics, predominantly<\/a> targeting organizations in the US in five critical infrastructure sectors: critical manufacturing, financial services, government facilities, healthcare and public health, and information technology. All stolen sensitive information is posted to their leak site, accessible only via Tor, the online tool that allows for anonymous browsing and internet connections.<\/p>\n

\"\"Overview of Cuba ransomware’s leak page, ransom note, and a trove of encrypted files.
(Source: Malwarebytes Threat Intelligence Team)<\/p>\n

This ransomware arrives on target networks via spam campaigns, meaning emails are sent out to organizations with no particular target. In more recent campaigns, the Cuba ransomware has been seen being dropped by the malware downloader Hancitor<\/a> (also known as Chancitor).<\/p>\n

The spam email contains a download link where a Word document with malicious macros can be downloaded and opened. If users enable the macro when prompted, this document extracts and executes Hancitor. This malware then communicates with its command-and-control (C2) server to download several tools, facilitate lateral movement, and extract data.<\/p>\n

It then drops and installs Cuba ransomware using PowerShell or PsExec.<\/p>\n

Cuba ransomware has already been involved in several noteworthy attacks. In February 2021<\/a>, it hit the widely used payment processor Automatic Funds Transfer Services (AFTS), affecting cities and agencies in Washington and California. In October 2022, Cuba ransomware threat actors impersonated the press office of the General Staff of the Armed Forces of Ukraine in a phishing campaign. According to Profero<\/a>, a company specializing in rapid incident response involved in negotiations between Cuba ransomware victims and attackers, the threat actors speak Russian.<\/p>\n

Mitigating Cuba ransomware attacks<\/h2>\n

CISA and the FBI issued mitigations for network defenders to follow to reduce attack risks from Cuba ransomware. Some of these are as follows:<\/p>\n