Cuba ransomware gang hacked 49 US critical infrastructure organizations

The FBI has revealed that the Cuba ransomware gang breached the networks of at least 49 US critical infrastructure organizations.

A flash alert published by the FBI has reported that the Cuba ransomware gang breached the networks of at least 49 US critical infrastructure organizations.

“The FBI has identified, as of early November 2021 that Cuba ransomware actors have compromised at least 49 entities in five critical infrastructure sectors, including but not limited to the financial, government, healthcare, manufacturing, and information technology sectors.” reads the flash alert published by the Federal Bureau of Investigation.

Cuba ransomware has been active since at least January 2020. Its operators have a data leak site, where they post exfiltrated data from their victims who refused to pay the ransom.  The ransomware encrypts files on the targeted systems using the “.cuba” extension.

Cuba ransomware has been actively distributed through the Hancitor malware, a commodity malware that partnered with ransomware gangs to help them gain initial access to target networks. The Hancitor downloader has been active since at least 2016 for dropping Pony and Vawtrak. As a loader, it has been used to download other malware families, such as Ficker stealer and NetSupport RAT, to compromised hosts.

The Hancitor malware is distributed through phishing emails, or using compromised credentials, exploiting Microsoft Exchange vulnerabilities, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim’s network.

The report also states that Cuba ransomware operators also abused legitimate Windows services (i.e. PowerShell, PsExec) and other unspecified services to remotely execute malicious code and launch their ransomware.

According to the report Cuba ransomware operators received at least US $43.9 million in ransom payments out of US $74 million in ransom requested.

Once compromised a victim’s system, the ransomware installs and executes a CobaltStrike beacon as a service
on the target’s network via PowerShell. Upon installing the ransomware, it downloads two executable files, which include the password stealer “pones.exe” and “krots.exe,” (aka) KPOT, which allows threat actors to write to the compromised system’s temporary (TMP) file.

“Once the TMP file is uploaded, the “krots.exe” file is deleted and the TMP file is executed in the compromised network. The TMP file includes Application Programming Interface (API) calls related to memory injection that, once executed, deletes itself from the system. Upon deletion of the TMP file, the compromised network begins communicating with a reported malware repository located at Montenegro-based Uniform Resource Locator (URL)
teoresp.com.” states the alert.

The FBI invites security professionals to share information about Cuba ransomware activity, feds are seeking information such as boundary logs showing communication to and from foreign IP addresses, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file.

The FBI discourages paying the ransom because there is no guarantee to recover the encrypted files. By paying the ransom, victims encourage threat actors to engage in the distribution of ransomware.

The alert includes indicators of compromise and mitigations.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]