Cuba Ransomware Nets Nearly $50m
The threat actors behind the Cuba ransomware variant have already amassed $44m through targeting of at least 49 victims, according to the FBI.
The bureau’s latest ‘flash’ alert revealed that the group had demanded at least $74m from its victims. These victims frequently come from critical infrastructure sectors like financial, government, healthcare, manufacturing, and IT.
“Cuba ransomware is distributed through Hancitor malware, a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims’ networks,” the FBI explained.
“Hancitor malware actors use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim’s network. Subsequently, Cuba ransomware actors use legitimate Windows services — such as PowerShell, PsExec, and other unspecified services — and then leverage Windows admin privileges to execute their ransomware and other processes remotely.”
Following a compromise, the ransomware will install and execute a CobaltStrike beacon as a service on the victim’s network via PowerShell. It also uses MimiKatz malware to steal RDP credentials and hijack user accounts, the report claimed.
The FBI took a notably softer line in the alert on organizations that go against its advice and pay their extorters. The bureau claimed it “understands” if corporate victims have to engage with their attackers in order to protect shareholders, customers and employees.
However, it urged firms to report any incidents to the FBI, even if they do pay-up, as this provides invaluable information to prevent future attacks and enable tracking of key groups.
“The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file,” it said of the Cuba variant.
It’s believed that Cuba has been active since January 2020.