The Cuba ransomware gang is a wide range of tools and malware to launch and conduct attacks targeting organizations in critical sectors, according to the FBI.
Cuba Ransomware Picking On Critical Sectors
The Cuba ransomware group has already compromised at least 49 organizations in five sectors in the U.S., the FBI says in a flash alert.
The FBI linked a surge of attacks on U.S. entities in the financial, government, healthcare, manufacturing, and information technology sectors to the cybercriminal gang. The hits totaled $44 million in ransom payments, more than half of the $74 million the group demanded from victims. This is a good indication of the fact that companies remain split on whether or not to pay the ransom.
The FBI did not specifically name the entities affected, but last month they also warned that the gang was targeting tribal casinos across the U.S.
The FBI also explained that the group uses a first-stage implant that acts as a loader for further payloads – the Hancitor malware, which was first spotted five years ago. Threat actors gain initial access to targeted devices using phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate RDP (Remote Desktop Protocol) tools, according to the FBI’s notice.
After infiltrating the Hancitor malware, Cuba ransomware operators also abuse legitimate Windows services, including PowerShell, PsExec, and Cobalt Strike. Additionally, the tool uses beacons to detect vulnerabilities inside a target’s system that could be exploited.
“A Cobalt Strike beacon [is installed] as a service on the victim’s network via PowerShell,” according to the FBI’s observations. “Once installed, the ransomware downloads two executable files, which include ‘pones.exe’ for password acquisition and ‘krots.exe,’ also known as KPOT, enabling the Cuba ransomware actors to write to the compromised system’s temporary (TMP) file.”
After the TMP file is uploaded, KPOT is deleted, and the TMP file is executed in the affected network, covering the ransomware’s tracks.
“The TMP file includes API calls related to memory injection that, once executed, deletes itself from the system,” the alert wrote. “Upon deletion of the TMP file, the compromised network begins communicating with a reported malware repository located at Montenegro-based domain, teoresp.com.”
The Cuba ransomware group also uses MimiKatz malware to steal usernames and passwords from targets. It then uses RDP to log into the compromised network host with a legitimate user account.
“Once an RDP connection is complete, the Cuba ransomware actors use the Cobalt Strike server to communicate with the compromised user account,” according to the analysis. “One of the initial PowerShell script functions allocates memory space to run a base64-encoded payload. Once this payload is loaded into memory, it can be used to reach the remote command-and-control (C2) server [kurvalarva[dot]com], and then deploy the next stage of files for the ransomware.”
The ransomware’s name comes from the extension with which target files are encrypted – ‘.cuba.’
Ransomware Is No Joke, The FBI Says
The alert comes right after a joint FBI/CISA warning telling organizations to be more cautious during the holiday season.
“Although neither CISA nor the FBI currently have identified any specific threats, recent 2021 trends show malicious cyberactors launching serious and impactful ransomware attacks during holidays and weekends, including Independence Day and Mother’s Day weekends,” the warning read.
“Ransomware threats are constantly evolving,” Mieng Lim, vice president of product management at Digital Defense by HelpSystems, said. “From the commoditization of ransomware through the recent availability of as-a-service tools, to increasingly sophisticated attack strategies, it is a threat landscape that demands constant monitoring and education from organizations and governments alike.”
Lim added that, for companies, the best defense against ransomware attacks is implementing security awareness training to teach employees how to spot a phishing attempt, along with other complementary security measures, including timely patching, email filters, regular testing, backups, and establishing an incident response plan.
“Unfortunately, we live in an era where preventing 100 percent of cyber-risks is no longer possible, but constant vigilance, ongoing cyber-threat education, and a well-planned threat detection and response strategy will go a long way towards keeping your organization’s most sensitive data safe,” Lim said.
ATTACK Simulator’s Security Awareness Training program will help you equip your employees with the necessary security knowledge and up-to-date security practices to keep your company safe from scammers and avoid potentially irremediable damage.