Overview
Common targets
U.S. entities in the following five critical infrastructure sectors: Financial Services, Government Facilities, Healthcare and Public Health, Critical Manufacturing, and Information Technology.
Attack Vectors
Known vulnerabilities in commercial software, Phishing campaigns, Compromised credentials, Legitimate remote desktop protocol (RDP) tools
How they operate
After gaining initial access, the actors deployed Cuba ransomware on compromised systems via Hancitor—a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims’ networks.
Since spring 2022, Cuba ransomware actors have adapted their TTPs and tools to better interact with compromised networks and extort payments from victims. They have exploited known vulnerabilities and weaknesses, using tools to elevate privileges on compromised systems.
According to Palo Alto Networks Unit 42, Cuba ransomware actors employ tools to evade detection while moving laterally through compromised environments before executing the ransomware. Specifically, the actors used a dropper that writes a kernel driver called ApcHelper.sys to the file system, which targets and terminates security products. While the dropper was unsigned, the kernel driver was signed using a certificate found in the LAPSUS NVIDIA leak.
In addition to deploying ransomware, the actors have used “double extortion” techniques. They exfiltrate victim data, demanding a ransom payment to decrypt it and threatening to publicly release the data if the ransom is not paid.
MITRE Techniques Used
Initial Access
T1190 – Exploit Public-Facing Application
Cuba ransomware has been observed exploiting vulnerable Microsoft Exchange servers via ProxyShell and ProxyLogon to drop and execute PowerShell scripts for the next stages of the attack
T1566 – Phishing
Reports mention Cuba ransomware being the payload for Hancitor malicious spam campaigns
Execution
T0807 – Command-Line Interface
Java and PHP webshell are used to perform remote commands or deliver Cobeacon
T1059 – Command and scripting interpreter
A batch file is used to copy and execute KillAV and ransomware samples from a shared folder
Defense Evasion
T1480 – Execution Guardrails
Cuba ransomware will terminate and delete itself if the keyboard layout language is Russia
T1630 – Indicator Removal on Host
Cuba ransomware terminates and deletes itself after execution or if certain conditions are met
T1629 – Impair Defenses
The ransomware terminates a list of running AV-related processes if discovered via its KillAV component Cuba ransomware exploits an Avast driver vulnerability to terminate process and services
Credential Access
T1003 – OS Credential Dumping
The ransomware uses Mimikatz to dump credentials
Discovery
T1135 – Network Share Discovery
Cuba ransomware uses a component dubbed as Wedgecut that takes an argument containing a list of hosts or IP addresses and checks whether they are online using ICMP packets.
Command and Control
T1437 – Application Layer Protocol
Uses its Cobeacon’s network to send and receive information and commands from the threat actorsCuba ransomware uses a component dubbed ProxyHTA to download additional components from its C&C servers
Lateral Movement
T0867 – Lateral Tool Transfer
Cuba ransomware uses tools such as RDP, SMB, and PsExec, frequently using COBEACON to facilitate movement within the victim network, found available by its network discovery tools
Exfiltration
T1041 – Exfiltration Over C2 Channel
Cuba ransomware employs its Cobeacon’s network to send back stolen information to the threat actors
Impact
T0881 – Service Stop
Terminates these services and processes using API
– MySQL
– MYSQL80
– MSSQLSERVER
– SQLWriter
– MSDTC
– SQLBrowser
– sqlservr.exe
– sqlwriter.exe
– msdtc.exe
– sqlbrowser.exe
T1471 – Data Encrypted for Impact
The ransomware uses a combination of Salsa and RSA for its encryption algorithm. It also makes use of LibTomCrypt for its cryptography implementations
The ransomware avoids encrypting files found in the following folders:
– %Windir%
– C:\Boot
– C:\Config.msi
– C:\$Recycle Bin
– C:\System Volume Information
– C:\Recovery
– C:\Documents and Settings
– C:\ProgramData
– C:\Program Files\Microsoft Office
– C:\Program Files (x86)\Microsoft Office
Recommended Mitigations
The FBI advises network defenders to implement the following measures to reduce the risk of compromise by Cuba ransomware:
Strengthen Password Policies:
Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to use strong, unique passwords. Avoid reusing passwords across multiple accounts or storing them on systems accessible to adversaries.
Implement a password policy for devices with local administrative accounts, ensuring strong, unique passwords for each individual administrative account.
Enforce Multi-Factor Authentication:
Enable multi-factor authentication for all services, especially for webmail, virtual private networks, and accounts that access critical systems.
Update Operating Systems and Software:
Keep all operating systems and software up to date. Timely patching is a cost-effective method to minimize exposure to cybersecurity threats.
Restrict Administrative Access:
Remove unnecessary access to administrative shares, such as ADMIN$ and C$. If operationally necessary, limit privileges to essential service or user accounts and continuously monitor for anomalous activity.
Use Host-Based Firewalls:
Configure a host-based firewall to allow connections to administrative shares via server message block (SMB) only from a limited set of administrator machines.
Limit System and Network Discovery Techniques:
Segment networks to prevent ransomware spread. Control traffic flows and restrict adversary lateral movement by managing access between subnetworks.
Identify, detect, and investigate abnormal activities and potential ransomware traversal using a network monitoring tool. Implement tools that log and report all network traffic, including lateral movement. Endpoint detection and response (EDR) tools are effective for detecting lateral connections due to their insight into network connections for each host.
Implement Time-Based Access Controls:
Use time-based access for admin-level accounts. For instance, the Just-in-Time (JIT) access method grants privileged access as needed, supporting the principle of least privilege and the Zero Trust model.
Automatically disable admin accounts at the Active Directory (AD) level when not in use, and enable access through an automated process for a set timeframe.
Disable Command-Line and Scripting Activities:
Prevent privilege escalation and lateral movement by disabling command-line and scripting activities and permissions. Threat actors often rely on these utilities, and disabling them hampers their ability to escalate privileges or move laterally.
Maintain Offline Backups:
Regularly maintain offline backups of data and ensure their restoration capability. This practice helps prevent severe interruptions and data loss.
Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
Significant Attacks
- Montenegro blamed a criminal group called Cuba ransomware for cyber attacks that have hit its government digital infrastructure since last week. (September 2022)
- Considering the use of the RomCom backdoor, as well as other features of the related files, it is possible to associate the detected activity with the activity of the group Tropical Scorpius (Unit42) aka UNC2596 (Mandiant), which is responsible for the distribution of Cuba Ransomware. (October 2022)
- BlackBerry has discovered and documented new tools used by the Cuba ransomware threat group. (August 2023)
- The Cuba ransomware gang collected over $60 million in ransoms until August 2022 after breaching more than 100 victims worldwide. (April 2024)
References:
- #StopRansomware: Cuba Ransomware
- Indicators of Compromise Associated with Cuba
- Novel News on Cuba Ransomware: Greetings From Tropical Scorpius
- Ransomware Spotlight – Cuba
- Cuba Ransomware Deploys New Tools: BlackBerry Discovers Targets Including Critical Infrastructure Sector in the U.S. and IT Integrator in Latin America
