Ransomware Spotlight: Cuba




Cuba

By Trend Micro Research

Cuba ransomware emerged on the scene with a spate of high-profile attacks in late 2021. Armed with an expansive infrastructure, impressive tools, and associated malware, Cuba ransomware is considered a significant player in the threat landscape, and is likely to remain so in the future through its continued evolution.

View infographic of View infographic of "Ransomware Spotlight: Cuba"

Cuba ransomware was first observed in December 2019 but only gained notoriety in November 2021 when the FBI posted an official notice detailing its activities. As of August 2022, Cuba ransomware actors have compromised over 100 entities worldwide, demanded over USD145 million, and received over USD60 million in ransom payments, according to a joint report released by the FBI and CISA in December 2022. Like many modern ransomware operators, they make use of the double extortion technique to force victims to pay the ransom demand.

Cuba ransomware actors have remained active throughout 2022. The ransomware group has been involved in a number of high-profile attacks, including ones that targeted government institutions in Europe. It has also continuously refined its ransomware routine and added capabilities for better efficiency and effectivity. Based on these incidents and the continuous evolution of the ransomware, it is likely that we will be seeing more of its advanced iterations in future attacks.

What organizations need to know about Cuba ransomware

Trend Micro has observed a resurgence of Cuba ransomware activity in March and April 2022. It included a new variant that contained updates to the binary – particularly its downloader – that is believed to enhance efficiency, minimize unwanted system behavior, and even provide technical support to victims in case of negotiations.

In August 2022,  Palo Alto’s Unit 42 released a report that provided information on a threat actor named Tropical Scorpius that had been deploying Cuba ransomware through a number of tools, tactics, and procedures (TTPs). Notable among these findings is the discovery of a new remote access trojan (RAT) called ROMCOM RAT that has several capabilities such as uploading data and harvesting a list of running processes. Links between the threat actor and a data extortion marketplace called Industrial Spy were found after the latter expressed intent to branch out to ransomware.

The government of Montenegro revealed in September 2022 that 150 workstations in ten government institutions were hit by a Cuba ransomware attack. The perpetrators themselves corroborated this via their leak site, stating that they had successfully managed to retrieve sensitive information including financial documents, correspondence, account details, balance sheets, and tax documents. 

In October 2022, the Ukrainian Computer Emergency Response Team (CERT-UA) published information warning of a Cuba ransomware attack on the war-hit country. Victims were lured in by phishing emails that were made to look like they originated from an organization within the Ukrainian armed services. A link within the email redirected to a malicious website containing a new version of PDF Reader that, when downloaded, leads to an executable. This executable decodes and runs a variant of the ROMCOM malware.

Cuba ransomware has an extensive infrastructure and uses many tools in its arsenal. These include Windows utilities such as Remote Desktop Protocol (RDP), Server Message Block (SMB), and PsExec, which it combines with popular tools like Cobalt Strike (for lateral movement and C&C communications) and Mimikatz (for dumping credentials).

It also exploits several vulnerabilities during the infection process. For example, it abuses the ProxyShell and ProxyLogon vulnerabilities for initial access, while leveraging an Avast driver vulnerability (C:\windows\temp\aswArPot.sys) as part of its antivirus-disabling routine.

Note that, despite its name, Cuba ransomware seems to originate from Russia, as evidenced by its routine of terminating itself when a Russian keyboard layout or language is detected on the system.

The succeeding sections will provide a more detailed look at the countries and industries affected by Cuba ransomware, both from Trend Micro’s own internal tools and through data sourced from the threat actor’s leak site.

Top affected countries and industries
according to Trend Micro data

This section will examine Cuba ransomware’s attempts to compromise organizations based on Trend Micro™ Smart Protection Network™ country and regional data. Note that these encompass only Trend Micro customers, and do not include a list of all the victims found in Cuba ransomware’s leak site.

Data shows that Cuba ransomware did not solely focus on Eastern European countries, as the attempts spanned multiple regions. The US and Turkey had the highest number of attack attempts with 26% and 21% of the total, respectively.

Meanwhile, industry data shows that organizations in the healthcare, finance, and consumer sectors had the largest number of Cuba ransomware attack attempts, with the rest split among various other industries that include telecommunications, banking, and manufacturing. Overall, there were 73 companies that were targeted by Cuba ransomware, although the vast majority did not specify the industry that they were involved in.

Figure 1. The US and Turkey were the countries with the highest number of attack attempts in terms of infected machines for Cuba ransomware (January 1, 2022, to October 31, 2022) Source: Trend Micro™ Smart Protection Network™ ™

Targeted regions and industries
according to Cuba ransomware’s leak site

This section examines data based on the attacks recorded on the leak site of Cuba ransomware’s operators. These attacks represent successfully compromised organizations that have refused to pay the ransom demand as of the time of writing.

Based on a combination of Trend Micro’s open-source intelligence (OSINT) research and investigation of the leak site, the group managed to compromise a total of 33 organizations. Of these, 17 were operating out of North America, with Europe containing eight organizations, followed by Asia-Pacific with four. Considering that not all organizations that were targeted were in the leak site, this indicates that ransomware groups are not as effective with their attacks as some people might think: the right technological solutions can help prevent a successful attack or infection.

Figure 2. Distribution by region of Cuba ransomware’s victim organizations from January 31, 2022, to September 30, 2022
Source: Cuba ransomware’s leak site and Trend Micro’s OSINT research

Moving on to specific countries, the US had the highest number of victim companies, with the rest coming from various other countries.

Figure 3. Distribution by country (top ten) of Cuba ransomware’s victim organizations from January 31, 2022, to September 30, 2022
Source: Cuba ransomware’s leak site and Trend Micro’s OSINT research


Cuba ransomware did not seem to favor a specific industry, as the victim organizations did not predominantly come from a single sector. IT services/technology had the highest victim count at five, followed by construction and finance with four each.

Figure 4. Distribution by industry (top ten) of Cuba ransomware’s victim organizations from January 31, 2022, to September 30, 2022
Source: Cuba ransomware’s leak site and Trend Micro’s OSINT research

Most of the victims (58%) were medium-sized companies (201-1000 employees), followed by small businesses (30%) of 1-200 employees. Large organizations only accounted for four attacks, or roughly 12% of the total.

Figure 5. The distribution by organization size of Cuba ransomware’s victim organizations from January 31, 2022, to September 30, 2022
Source: Cuba ransomware’s leak site and Trend Micro’s OSINT research

Infection chain and techniques

The Cuba ransomware infection chain can vary depending on the target or campaign. The diagram in in Figure 7 shows a sample infection chain.

Cuba ransomware infection chain

Figure 6. Cuba ransomware infection chain


Initial Access


Defense Evasion

  • Cuba ransomware will not proceed with its routine if a Russian keyboard layout is detected. Instead, it will terminate and delete itself.
  • It uses other components to terminate AV-related processes.
  • It uses the KillAV tool to terminate AV-related processes and also makes use of an Avast driver vulnerability ("C:\windows\temp\aswArPot.sys") to terminate services

Discovery

  • Cuba ransomware finds, lists, and encrypts files on available connected and shared networks when "-netscan" is provided as an argument upon execution.

  • It finds, lists, and encrypts files on connected removable drives when "-net" is provided as an argument upon execution.

  • It finds, lists, and encrypts local files when either "-local" or no argument is provided upon execution.

  • It makes use of a tool to scan available networks that will be used during its lateral movement phase.

Lateral Movement

  • For lateral movement, Cuba ransomware employs a number of tools that include RDP, SMB, and PsExec. It also frequently uses Cobeacon to facilitate movement within the victim networks that were discovered by its network discovery tools

  • Following lateral movement, the threat actors deploy various backdoors, including the publicly available NetSupport RAT, Beacon and Bughatch, which are often deployed using the Termite in-memory dropper.

Command and Control

  • Cuba ransomware uses its own Cobalt Strike network to communicate back to its command-and-control (C&C) server. It also uses PROXYHTA to communicate with the C&C server to download additional components.

Impact

  • The ransomware uses a combination of Salsa and RSA for its encryption algorithm. Furthermore, it employs LibTomCrypt for its cryptography implementations.
  • It uses Salsa20 to encrypt files, then makes use of RSA to encrypt the Salsa key to prevent decryption of the encrypted files.
  • It checks the file marker FIDEL.CA to determine if the file is already encrypted. If it isn’t, it will prepend the file marker and the encrypted Salsa Key.
  • After encryption it will then rename the file and add its extension ".cuba" before dropping a ransom note.

Figure 7. A sample ransom note from Cuba ransomware

MITRE tactics and techniques

Initial AccessExecutionDefense EvasionCredential AccessDiscoveryCommand and ControlLateral MovementExfiltrationImpact

T1190 - Exploit Public-Facing Application
Cuba ransomware has been observed exploiting vulnerable Microsoft Exchange servers via ProxyShell and ProxyLogon to drop and execute PowerShell scripts for the next stages of the attack

T1566 - Phishing
Reports mention Cuba ransomware being the payload for Hancitor malicious spam campaigns

T0807 - Command-Line Interface
Java and PHP webshell are used to perform remote commands or deliver Cobeacon

T1059 - Command and scripting interpreter
A batch file is used to copy and execute KillAV and ransomware samples from a shared folder

T1480 - Execution Guardrails
Cuba ransomware will terminate and delete itself if the keyboard layout language is Russia

T1630 - Indicator Removal on Host
Cuba ransomware terminates and deletes itself after execution or if certain conditions are met

T1629 - Impair Defenses
The ransomware terminates a list of running AV-related processes if discovered via its KillAV component Cuba ransomware exploits an Avast driver vulnerability to terminate process and services

T1003 - OS Credential Dumping
The ransomware uses Mimikatz to dump credentials

T1135 - Network Share Discovery
Cuba ransomware uses a component dubbed as Wedgecut that takes an argument containing a list of hosts or IP addresses and checks whether they are online using ICMP packets.

T1437 - Application Layer Protocol
Uses its Cobeacon's network to send and receive information and commands from the threat actorsCuba ransomware uses a component dubbed ProxyHTA to download additional components from its C&C servers

T0867 - Lateral Tool Transfer
Cuba ransomware uses tools such as RDP, SMB, and PsExec, frequently using COBEACON to facilitate movement within the victim network, found available by its network discovery tools

T1041 - Exfiltration Over C2 Channel
Cuba ransomware employs its Cobeacon's network to send back stolen information to the threat actors

T0881 - Service Stop
Terminates these services and processes using API

- MySQL
- MYSQL80
- MSSQLSERVER
- SQLWriter
- MSDTC
- SQLBrowser
- sqlservr.exe
- sqlwriter.exe
- msdtc.exe
- sqlbrowser.exe

T1471 - Data Encrypted for Impact
The ransomware uses a combination of Salsa and RSA for its encryption algorithm. It also makes use of LibTomCrypt for its cryptography implementations

The ransomware avoids encrypting files found in the following folders:

- %Windir%
- C:\Boot
- C:\Config.msi
- C:\$Recycle Bin
- C:\System Volume Information
- C:\Recovery
- C:\Documents and Settings
- C:\ProgramData
- C:\Program Files\Microsoft Office
- C:\Program Files (x86)\Microsoft Office


It appends the following extension to the file name of the encrypted files:

- {Original Filename}.{Original Extension}.cuba


It leaves text files that serve as ransom notes containing the following text:

- !!FAQ for Decryption!!.txt


It avoids encrypting files with the following file extensions:

- .exe
- .dll
- .sys
- .cuba

Summary of malware, tools, and exploits used

Security teams should take note of and observe the presence of the following malware tools and exploits that are typically used in Cuba ransomware attacks:

Malware

  • Bughatch
  • Burntcigar
  • Cobeacon
  • Colddraw
  • Hancitor (Chanitor)
  • Termite 
  • Wedgecut

Tools

  • Mimikatz
  • PowerShell
  • ProxyLogon
  • ProxyShell
  • PsExec
  • Remote Desktop Protocol
Initial AccessExecutionDefense EvasionCredential AccessDiscoveryLateral MovementExfiltrationCommand and ControlImpact
  • ProxyShell / ProxyLogon
  • PowerShell
  • Burntcigar KillAV
  • Mimikatz
  • Wedgecut
  • Cobeacon
  • Cobeacon
  • Cobeacon
  • Cuba Ransomware
  • Hancitor
  • PsExec
        • Termite
                        • PsExec

                              Recommendations

                              <

                              Given its high level of activity in late 2021 and throughout 2022, we can expect to see more of Cuba ransomware in the future. Its attacks against high-profile targets show that it isn’t hesitant to go after big fish, while its extensive infrastructure and heavy use of other malware and tools in its routine shows that its operators are professional and have high levels of technical knowledge. Although it is still not as well-known as some other existing ransomware families, we encourage organizations to start taking note of Cuba ransomware and how it operates to minimize the chances of a successful attack occurring.

                              To protect systems against Cuba ransomware and other similar threats, organizations can implement security frameworks that allocate resources systematically to establish a strong defense strategy against ransomware.

                              Here are some best practices that organizations can consider to help protect themselves from Cuba ransomware infections:


                              Audit and inventory

                              • Take an inventory of assets and data.
                              • Identify authorized and unauthorized devices and software.
                              • Audit event and incident logs.

                              Configure and monitor

                              • Manage hardware and software configurations.
                              • Grant admin privileges and access only when necessary to an employee’s role.
                              • Monitor network ports, protocols, and services.
                              • Activate security configurations on network infrastructure devices such as firewalls and routers.
                              • Establish a software allowlist that only executes legitimate applications.

                              Patch and update

                              • Conduct regular vulnerability assessments.
                              • Perform patching or virtual patching for operating systems and applications.
                              • Update software and applications to their latest versions.

                              Protect and recover

                              • Implement data protection, back up, and recovery measures.
                              • Enable multifactor authentication (MFA).

                              Secure and defend

                              • Employ sandbox analysis to block malicious emails.
                              • Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network.
                              • Discover early signs of an attack such as the presence of suspicious tools in the system.
                              • Use advanced detection technologies such as those powered by AI and machine learning.

                              Train and test

                              • Regularly train and assess employees on security skills.
                              • Conduct red-team exercises and penetration tests.

                              A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can help protect enterprises.

                              • Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools early on before the ransomware can do irreversible damage to the system.
                              • Trend Micro Cloud One™ Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.
                              • Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.
                              • Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.

                              Indicators of Compromise (IOCs)

                              The IOCs for this article can be found here. Actual indicators might vary per attack.

                              HIDE

                              Like it? Add this infographic to your site:
                              1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

                              Image will appear the same size as you see above.