Cuba Ransomware received over $60M in Ransom payments as of August 2022

Cuba ransomware gang received more than $60 million in ransom payments related to attacks against 100 entities worldwide as of August 2022.

The threat actors behind the Cuba ransomware (aka COLDDRAW, Tropical Scorpius) have demanded over 145 million U.S. Dollars (USD) and received more than $60 million in ransom payments from over 100 victims worldwide as of August 2022, the US government states.

Like other ransomware gangs, Cuba used ‘double extortion’ techniques which means that it exfiltrates data from the target systems before encrypting them and demanding a ransom payment, threatening to publicly release it if payment is not made.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint advisory that provides technical details about the gang’s operations, including tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Cuba ransomware.

“FBI has identified a sharp increase in the both the number of compromised U.S. entities and the ransom amounts demanded by Cuba actors.” reads the report. “Since spring 2022, Cuba ransomware actors have expanded their TTPs. Third-party and open-source reports have identified a possible link between Cuba ransomware actors, RomCom Remote Access Trojan (RAT) actors, and Industrial Spy ransomware actors.”

Since December 2021 Cuba operators are continuing to target U.S. entities Financial Services, Government Facilities, Healthcare and Public Health, Critical Manufacturing, and Information Technology.

Cuba gang has leveraged multiple techniques to gain initial access into victims’ networks, including the exploitation of nown vulnerabilities in commercial software [T1190], phishing campaigns [T1566], compromised credentials [T1078], legitimate remote desktop protocol (RDP) tools [T1563.002]. 

Once gained initial access, the attackers distributed Cuba ransomware on compromised systems using the Hancitor loader.

Below are the vulnerabilities exploited by the group in its attacks:

• CVE-2022-24521 – elevation of privilege flaw in Windows Common Log File System (CLFS) Driver
• CVE-2020-1472 – elevation of privilege flaw in Netlogon remote protocol (aka ZeroLogon)

In May, MalwareHunterTeam found evidence that links Cuba and the Industrial Spy crew.

Since spring 2022, multiple reports also linked RomCom RAT actors to the Cuba gang. 

Additional details are included in the advisory “Alert (AA22-335A) #StopRansomware: Cuba Ransomware.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

[adrotate banner=”5″]

[adrotate banner=”13″]