Cuba ransomware makes use of the ProxyShell (CVE-2021-34473, CVE-2021-34523 , and CVE-2021-31207) ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) vulnerabilities to download and execute its component (Termite) which downloads other parts of its routine.
|Initial Access||Execution||Defense Evasion||Credential Access||Discovery||Command and Control||Lateral Movement||Exfiltration||Impact|
T1190 - Exploit Public-Facing Application
T1566 - Phishing
T0807 - Command-Line Interface
T1059 - Command and scripting interpreter
T1480 - Execution Guardrails
T1630 - Indicator Removal on Host
T1629 - Impair Defenses
T1003 - OS Credential Dumping
T1135 - Network Share Discovery
T1437 - Application Layer Protocol
T0867 - Lateral Tool Transfer
T1041 - Exfiltration Over C2 Channel
T0881 - Service Stop
T1471 - Data Encrypted for Impact
Security teams should take note of and observe the presence of the following malware tools and exploits that are typically used in Cuba ransomware attacks:
|Initial Access||Execution||Defense Evasion||Credential Access||Discovery||Lateral Movement||Exfiltration||Command and Control||Impact|
Given its high level of activity in late 2021 and throughout 2022, we can expect to see more of Cuba ransomware in the future. Its attacks against high-profile targets show that it isn’t hesitant to go after big fish, while its extensive infrastructure and heavy use of other malware and tools in its routine shows that its operators are professional and have high levels of technical knowledge. Although it is still not as well-known as some other existing ransomware families, we encourage organizations to start taking note of Cuba ransomware and how it operates to minimize the chances of a successful attack occurring.
To protect systems against Cuba ransomware and other similar threats, organizations can implement security frameworks that allocate resources systematically to establish a strong defense strategy against ransomware.
Here are some best practices that organizations can consider to help protect themselves from Cuba ransomware infections:
A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can help protect enterprises.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.