Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Cuba (Fidel, COLDDRAW) – Malware

June 26, 2024
Reading Time: 83 mins read
in Malware
Cuba (Fidel, COLDDRAW) – Malware

Cuba

Type of Malware

Ransomware

Addittional names

Fidel, COLDDRAW

Country of Origin

Russia

Date of initial activity

2019

Targeted Countries

United States

Associated Groups

Cuba Ransomware Group

Motivation

Financial Gain

Attack vectors

Known vulnerabilities in commercial software, Phishing campaigns, Compromised credentials, Legitimate remote desktop protocol (RDP) tools

Tools

Malware : Bughatch, Burntcigar, Cobeacon, Colddraw, Hancitor (Chanitor), Termite, Wedgecut, KerberCache, ZeroLogon.

Tools: Mimikatz, PowerShell, ProxyLogon, ProxyShell, PsExec, Remote Desktop Protocol.

Targeted System

Windows

Overview

Cuba ransomware, also known as Fidel, was first discovered in late 2019 and rose to prominence in 2022. Cuba’s impact doubled year-over-year, compromising hundreds of victims—in 2022, it collected more than $60 million in ransom, prompting CISA and the FBI to issue flash alerts. Despite its Cuban nationalist theme on its official Tor-based website, intelligence points to the group’s Russian membership, evidenced by typical Russian misspellings in communications. Cuba ransomware is affiliated with the small but high-impact threat actors RomCom and Industrial Spy. Cuba’s use of standard commercial software packing techniques is considered less sophisticated than state-sponsored malware, indicating it is likely the product of a small but talented group of profit-seeking individuals. “Packing” refers to compressing software and required libraries into a single binary executable that is difficult to reverse-engineer or detect by antivirus scanners. Cuba is deployed selectively using a big game hunting strategy, targeting a few high-profile organizations in the financial services, government, healthcare, critical infrastructure, and IT sectors. Reports indicate that Cuba operators reliably deliver a decryption package to decrypt victims’ files when ransom is paid, but they also employ a double-extortion tactic and are known to publish the stolen data and documents of victims who refuse to pay.

Targets

U.S. entities in the following five critical infrastructure sectors: Financial Services, Government Facilities, Healthcare and Public Health, Critical Manufacturing, and Information Technology.

How they operate

Initial Access After gaining initial access, the actors deployed Cuba ransomware on compromised systems using Hancitor—a loader known for delivering or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims’ networks. Since spring 2022, Cuba ransomware actors have adjusted their TTPs and tools to better interact with compromised networks and extort payments from victims. They have exploited known vulnerabilities and weaknesses, utilizing tools to elevate privileges on compromised systems. Defense Evasion Cuba ransomware will cease its routine if a Russian keyboard layout is detected, terminating and deleting itself instead. It uses various components to terminate AV-related processes, including the KillAV tool. Additionally, it exploits an Avast driver vulnerability (“C:\windows\temp\aswArPot.sys”) to terminate services. Discovery Cuba ransomware can find, list, and encrypt files on available connected and shared networks when “-netscan” is provided as an argument upon execution. It finds, lists, and encrypts files on connected removable drives when “-net” is provided as an argument upon execution. It finds, lists, and encrypts local files when either “-local” or no argument is provided upon execution. A tool is used to scan available networks during its lateral movement phase. Lateral Movement For lateral movement, Cuba ransomware employs tools such as RDP, SMB, and PsExec. It frequently uses Cobeacon to facilitate movement within the victim networks discovered by its network discovery tools. Following lateral movement, the threat actors deploy various backdoors, including the publicly available NetSupport RAT, Beacon, and Bughatch, often deployed using the Termite in-memory dropper. Command and Control Cuba ransomware uses its own Cobalt Strike network to communicate back to its command-and-control (C&C) server. It also uses PROXYHTA to communicate with the C&C server and download additional components. Impact The ransomware uses a combination of Salsa and RSA for its encryption algorithm, employing LibTomCrypt for its cryptography implementations. It uses Salsa20 to encrypt files and RSA to encrypt the Salsa key, preventing decryption of the encrypted files. It checks the file marker FIDEL.CA to determine if the file is already encrypted. If it isn’t, it will prepend the file marker and the encrypted Salsa key. After encryption, it renames the file, adds the “.cuba” extension, and drops a ransom note.

Techniques Used (MITRE)

Initial Access T1190 – Exploit Public-Facing Application Cuba ransomware has been observed exploiting vulnerable Microsoft Exchange servers via ProxyShell and ProxyLogon to drop and execute PowerShell scripts for the next stages of the attack T1566 – Phishing Reports mention Cuba ransomware being the payload for Hancitor malicious spam campaigns Execution T0807 – Command-Line Interface Java and PHP webshell are used to perform remote commands or deliver Cobeacon T1059 – Command and scripting interpreter A batch file is used to copy and execute KillAV and ransomware samples from a shared folder Defense Evasion T1480 – Execution Guardrails Cuba ransomware will terminate and delete itself if the keyboard layout language is Russia T1630 – Indicator Removal on Host Cuba ransomware terminates and deletes itself after execution or if certain conditions are met T1629 – Impair Defenses The ransomware terminates a list of running AV-related processes if discovered via its KillAV component Cuba ransomware exploits an Avast driver vulnerability to terminate process and services Credential Access T1003 – OS Credential Dumping The ransomware uses Mimikatz to dump credentials Discovery T1135 – Network Share Discovery Cuba ransomware uses a component dubbed as Wedgecut that takes an argument containing a list of hosts or IP addresses and checks whether they are online using ICMP packets. Command and Control T1437 – Application Layer Protocol Uses its Cobeacon’s network to send and receive information and commands from the threat actorsCuba ransomware uses a component dubbed ProxyHTA to download additional components from its C&C servers Lateral Movement T0867 – Lateral Tool Transfer Cuba ransomware uses tools such as RDP, SMB, and PsExec, frequently using COBEACON to facilitate movement within the victim network, found available by its network discovery tools Exfiltration T1041 – Exfiltration Over C2 Channel Cuba ransomware employs its Cobeacon’s network to send back stolen information to the threat actors Impact T0881 – Service Stop Terminates these services and processes using API – MySQL – MYSQL80 – MSSQLSERVER – SQLWriter – MSDTC – SQLBrowser – sqlservr.exe – sqlwriter.exe – msdtc.exe – sqlbrowser.exe T1471 – Data Encrypted for Impact The ransomware uses a combination of Salsa and RSA for its encryption algorithm. It also makes use of LibTomCrypt for its cryptography implementations The ransomware avoids encrypting files found in the following folders: – %Windir% – C:\Boot – C:\Config.msi – C:\$Recycle Bin – C:\System Volume Information – C:\Recovery – C:\Documents and Settings – C:\ProgramData – C:\Program Files\Microsoft Office – C:\Program Files (x86)\Microsoft Office

Significant Malware Campaigns

  • Montenegro blamed a criminal group called Cuba ransomware for cyber attacks that have hit its government digital infrastructure since last week. (September 2022)
  • Considering the use of the RomCom backdoor, as well as other features of the related files, it is possible to associate the detected activity with the activity of the group Tropical Scorpius (Unit42) aka UNC2596 (Mandiant), which is responsible for the distribution of Cuba Ransomware. (October 2022)
  • BlackBerry has discovered and documented new tools used by the Cuba ransomware threat group. (August 2023)
  • The Cuba ransomware gang collected over $60 million in ransoms until August 2022 after breaching more than 100 victims worldwide. (April 2024)
References:
  • Montenegro blames criminal gang for cyber attacks on government
  • Cyber ​​attack on state organizations of Ukraine using RomCom malware. Possible involvement of Cuba Ransomware aka Tropical Scorpius aka UNC2596 (CERT-UA#5509)
  • Cuba Ransomware Deploys New Tools: BlackBerry Discovers Targets Including Critical Infrastructure Sector in the U.S. and IT Integrator in Latin America
  • Philadelphia Inquirer: Data of over 25,000 people stolen in 2023 breach
  • Indicators of Compromise Associated with Cuba
  • #StopRansomware: Cuba Ransomware
  • Novel News on Cuba Ransomware: Greetings From Tropical Scorpius
  • Ransomware Spotlight – Cuba
  • What Is Cuba Ransomware?
Tags: CISACOLDDRAWCubaFBIFidelFinancial ServicesGovernment FacilitiesHealthcareInformation TechnologyintelligenceJavaMalwaremanufacturingPublicRansomwareRussiaUSA
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial