Cuba (Fidel, COLDDRAW) – Malware

Overview

Cuba ransomware, also known as Fidel, was first discovered in late 2019 and rose to prominence in 2022. Cuba’s impact doubled year-over-year, compromising hundreds of victims—in 2022, it collected more than $60 million in ransom, prompting CISA and the FBI to issue flash alerts. Despite its Cuban nationalist theme on its official Tor-based website, intelligence points to the group’s Russian membership, evidenced by typical Russian misspellings in communications. Cuba ransomware is affiliated with the small but high-impact threat actors RomCom and Industrial Spy.

Cuba’s use of standard commercial software packing techniques is considered less sophisticated than state-sponsored malware, indicating it is likely the product of a small but talented group of profit-seeking individuals. “Packing” refers to compressing software and required libraries into a single binary executable that is difficult to reverse-engineer or detect by antivirus scanners.

Cuba is deployed selectively using a big game hunting strategy, targeting a few high-profile organizations in the financial services, government, healthcare, critical infrastructure, and IT sectors. Reports indicate that Cuba operators reliably deliver a decryption package to decrypt victims’ files when ransom is paid, but they also employ a double-extortion tactic and are known to publish the stolen data and documents of victims who refuse to pay.

Targets

U.S. entities in the following five critical infrastructure sectors: Financial Services, Government Facilities, Healthcare and Public Health, Critical Manufacturing, and Information Technology.

How they operate

Initial Access

After gaining initial access, the actors deployed Cuba ransomware on compromised systems using Hancitor—a loader known for delivering or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims’ networks.

Since spring 2022, Cuba ransomware actors have adjusted their TTPs and tools to better interact with compromised networks and extort payments from victims. They have exploited known vulnerabilities and weaknesses, utilizing tools to elevate privileges on compromised systems.
Defense Evasion

Cuba ransomware will cease its routine if a Russian keyboard layout is detected, terminating and deleting itself instead. It uses various components to terminate AV-related processes, including the KillAV tool. Additionally, it exploits an Avast driver vulnerability (“C:\windows\temp\aswArPot.sys”) to terminate services.
Discovery

Cuba ransomware can find, list, and encrypt files on available connected and shared networks when “-netscan” is provided as an argument upon execution.

It finds, lists, and encrypts files on connected removable drives when “-net” is provided as an argument upon execution.

It finds, lists, and encrypts local files when either “-local” or no argument is provided upon execution.

A tool is used to scan available networks during its lateral movement phase.
Lateral Movement

For lateral movement, Cuba ransomware employs tools such as RDP, SMB, and PsExec. It frequently uses Cobeacon to facilitate movement within the victim networks discovered by its network discovery tools.

Following lateral movement, the threat actors deploy various backdoors, including the publicly available NetSupport RAT, Beacon, and Bughatch, often deployed using the Termite in-memory dropper.
Command and Control

Cuba ransomware uses its own Cobalt Strike network to communicate back to its command-and-control (C&C) server. It also uses PROXYHTA to communicate with the C&C server and download additional components.
Impact

The ransomware uses a combination of Salsa and RSA for its encryption algorithm, employing LibTomCrypt for its cryptography implementations. It uses Salsa20 to encrypt files and RSA to encrypt the Salsa key, preventing decryption of the encrypted files.

It checks the file marker FIDEL.CA to determine if the file is already encrypted. If it isn’t, it will prepend the file marker and the encrypted Salsa key. After encryption, it renames the file, adds the “.cuba” extension, and drops a ransom note.

Techniques Used (MITRE)

Initial Access

T1190 – Exploit Public-Facing Application

Cuba ransomware has been observed exploiting vulnerable Microsoft Exchange servers via ProxyShell and ProxyLogon to drop and execute PowerShell scripts for the next stages of the attack

T1566 – Phishing

Reports mention Cuba ransomware being the payload for Hancitor malicious spam campaigns
Execution

T0807 – Command-Line Interface

Java and PHP webshell are used to perform remote commands or deliver Cobeacon

T1059 – Command and scripting interpreter

A batch file is used to copy and execute KillAV and ransomware samples from a shared folder
Defense Evasion

T1480 – Execution Guardrails

Cuba ransomware will terminate and delete itself if the keyboard layout language is Russia

T1630 – Indicator Removal on Host

Cuba ransomware terminates and deletes itself after execution or if certain conditions are met

T1629 – Impair Defenses

The ransomware terminates a list of running AV-related processes if discovered via its KillAV component Cuba ransomware exploits an Avast driver vulnerability to terminate process and services
Credential Access

T1003 – OS Credential Dumping

The ransomware uses Mimikatz to dump credentials

Discovery

T1135 – Network Share Discovery

Cuba ransomware uses a component dubbed as Wedgecut that takes an argument containing a list of hosts or IP addresses and checks whether they are online using ICMP packets.
Command and Control

T1437 – Application Layer Protocol

Uses its Cobeacon’s network to send and receive information and commands from the threat actorsCuba ransomware uses a component dubbed ProxyHTA to download additional components from its C&C servers

Lateral Movement

T0867 – Lateral Tool Transfer

Cuba ransomware uses tools such as RDP, SMB, and PsExec, frequently using COBEACON to facilitate movement within the victim network, found available by its network discovery tools
Exfiltration

T1041 – Exfiltration Over C2 Channel

Cuba ransomware employs its Cobeacon’s network to send back stolen information to the threat actors
Impact

T0881 – Service Stop

Terminates these services and processes using API

– MySQL

– MYSQL80

– MSSQLSERVER

– SQLWriter

– MSDTC

– SQLBrowser

– sqlservr.exe

– sqlwriter.exe

– msdtc.exe

– sqlbrowser.exe

T1471 – Data Encrypted for Impact

The ransomware uses a combination of Salsa and RSA for its encryption algorithm. It also makes use of LibTomCrypt for its cryptography implementations

The ransomware avoids encrypting files found in the following folders:

– %Windir%

– C:\Boot

– C:\Config.msi

– C:\$Recycle Bin

– C:\System Volume Information

– C:\Recovery

– C:\Documents and Settings

– C:\ProgramData

– C:\Program Files\Microsoft Office

– C:\Program Files (x86)\Microsoft Office

Significant Malware Campaigns

• Montenegro blamed a criminal group called Cuba ransomware for cyber attacks that have hit its government digital infrastructure since last week. (September 2022)
• Considering the use of the RomCom backdoor, as well as other features of the related files, it is possible to associate the detected activity with the activity of the group Tropical Scorpius (Unit42) aka UNC2596 (Mandiant), which is responsible for the distribution of Cuba Ransomware. (October 2022)
• BlackBerry has discovered and documented new tools used by the Cuba ransomware threat group. (August 2023)
• The Cuba ransomware gang collected over $60 million in ransoms until August 2022 after breaching more than 100 victims worldwide. (April 2024)

References:

• Montenegro blames criminal gang for cyber attacks on government
• Cyber ​​attack on state organizations of Ukraine using RomCom malware. Possible involvement of Cuba Ransomware aka Tropical Scorpius aka UNC2596 (CERT-UA#5509)
• Cuba Ransomware Deploys New Tools: BlackBerry Discovers Targets Including Critical Infrastructure Sector in the U.S. and IT Integrator in Latin America
• Philadelphia Inquirer: Data of over 25,000 people stolen in 2023 breach
• Indicators of Compromise Associated with Cuba
• #StopRansomware: Cuba Ransomware
• Novel News on Cuba Ransomware: Greetings From Tropical Scorpius
• Ransomware Spotlight – Cuba
• What Is Cuba Ransomware?