The perpetrators behind the Cuba ransomware (by the hackers called COLDDRAW) have received more than 60 million dollars in ransom payments and have compromised over 100 entities worldwide as of August 2022.
In a new alert shared by the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), the agencies highlighted a “sharp increase in both the number of compromised US entities and ransom amounts“.
The Ransomware Crew, also known as Tropical Scorpiushas been observed targeting financial services, government facilities, healthcare, and IT sectors, while simultaneously expanding its tactics to gain initial access and interact with compromised networks.
Why is the Cuba Ransomware so dangerous?
First of all it must be said that, despite the name “Cuba”, there is no evidence to suggest that the authors of the ransomware have any connection or affiliation with the island country of the same name.
The entry point for attacks involves exploiting known security holes, phishing, compromised credentials, and legitimate Remote Desktop Protocol (RDP) tools, followed by distribution of the ransomware via Hancitor (also known as Chanitor).
Some features incorporated by the Ransomware are as follows:
-
CVE-2022-24521 (CVSS score: 7.8) – An elevation of privilege vulnerability in the Windows Common Log File System (CLFS) driver;
- CVE-2020-1472 (CVSS score: 10.0) – Elevation of privilege vulnerability in the Netlogon (also known as ZeroLogon) remote protocol.
“In addition to distributing ransomware, authors [della minaccia informatica] used ‘double extortion’ techniques, in which they exfiltrate victims’ data and demand a ransom payment to decrypt it and, threaten to release it publicly if a ransom payment is not made“CISA noted.
Some argue that Cuba ransomware shares some links with the operators of RomCom RAT and another ransomware family called Industrial Spy, according to recent findings from BlackBerry and Palo Alto Networks Unit 42.
The RomCom RAT is distributed through “trojanized versions” of legitimate software such as SolarWinds Network Performance Monitor, KeePass, PDF Reader Pro, Advanced IP Scanner, pdfFiller and Veeam Backup & Replication that are hosted on fake websites.
The warning from CISA and the FBI is the latest in a series of warnings the agencies have issued on different strains of ransomware such as MedusaLocker, Zeppelin, Vice Society, Daixin Team, and Hive.
From the official site of the CISA we can find the FBI notices related to the Cuba Ransomware.
Today, the Federal Bureau of Investigation (FBI) and CISA released a Cybersecurity Advisory (CSA) #StopRansomware: Cuba Ransomware to provide network defenders with tactics, techniques and procedures (TTP) and indicators of compromise (IOC) associated with ransomware Cuba.
FBI investigations have only identified these TTPs and IOCs since August 2022. This CSA updates the latest FBI Report from December 2021: Indicators of Compromise Associated with Cuba Ransomware. Major updates include:
- The FBI has identified a sharp increase in both the number of compromised US entities and the ransom amounts demanded by Cuban ransomware actors.
- Since spring 2022, Cuba ransomware authors have expanded their TTPs.
- Third party and open source reports have identified a possible link between Cuba ransomware actors, RomCom Remote Access Trojan (RAT) actors, and Industrial Spy ransomware actors [Spionaggio industriale].
FBI and CISA encourage network advocates to review the joint CSA and apply the mitigations included. Consult StopRansomware.gov for more guidance on ransomware protection, detection, and response.
Getting a ransomware depends (almost) always on the end user
The strategy to stop ransomware it must start from us users.
Always remember that in fact a ransomware attack does not technically exist, it’s up to you as a user to pay attention to the emails and what you download.
#Ransomware #Cuba #extorts #million