Ransomware Spotlight: Cuba
Top affected countries and industries
according to Trend Micro data
Targeted regions and industries
according to Cuba ransomware’s leak site
Infection chain and techniques
Cuba ransomware makes use of the ProxyShell (CVE-2021-34473, CVE-2021-34523 , and CVE-2021-31207) ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) vulnerabilities to download and execute its component (Termite) which downloads other parts of its routine.
- Reports have mentioned of Cuba ransomware being downloaded by the Hancitor malware via a malicious spam campaign, but this has not been observed internally.
- Cuba ransomware will not proceed with its routine if a Russian keyboard layout is detected. Instead, it will terminate and delete itself.
- It uses other components to terminate AV-related processes.
- It uses the KillAV tool to terminate AV-related processes and also makes use of an Avast driver vulnerability ("C:\windows\temp\aswArPot.sys") to terminate services
- Cuba ransomware finds, lists, and encrypts files on available connected and shared networks when "-netscan" is provided as an argument upon execution.
- It finds, lists, and encrypts files on connected removable drives when "-net" is provided as an argument upon execution.
- It finds, lists, and encrypts local files when either "-local" or no argument is provided upon execution.
- It makes use of a tool to scan available networks that will be used during its lateral movement phase.
- For lateral movement, Cuba ransomware employs a number of tools that include RDP, SMB, and PsExec. It also frequently uses Cobeacon to facilitate movement within the victim networks that were discovered by its network discovery tools
- Following lateral movement, the threat actors deploy various backdoors, including the publicly available NetSupport RAT, Beacon and Bughatch, which are often deployed using the Termite in-memory dropper.
Command and Control
- Cuba ransomware uses its own Cobalt Strike network to communicate back to its command-and-control (C&C) server. It also uses PROXYHTA to communicate with the C&C server to download additional components.
- The ransomware uses a combination of Salsa and RSA for its encryption algorithm. Furthermore, it employs LibTomCrypt for its cryptography implementations.
- It uses Salsa20 to encrypt files, then makes use of RSA to encrypt the Salsa key to prevent decryption of the encrypted files.
- It checks the file marker FIDEL.CA to determine if the file is already encrypted. If it isn’t, it will prepend the file marker and the encrypted Salsa Key.
- After encryption it will then rename the file and add its extension ".cuba" before dropping a ransom note.
MITRE tactics and techniques
|Command and Control
T1190 - Exploit Public-Facing Application
T1566 - Phishing
T0807 - Command-Line Interface
T1059 - Command and scripting interpreter
T1480 - Execution Guardrails
T1630 - Indicator Removal on Host
T1629 - Impair Defenses
T1003 - OS Credential Dumping
T1135 - Network Share Discovery
T1437 - Application Layer Protocol
T0867 - Lateral Tool Transfer
T1041 - Exfiltration Over C2 Channel
T0881 - Service Stop
T1471 - Data Encrypted for Impact
Summary of malware, tools, and exploits used
Security teams should take note of and observe the presence of the following malware tools and exploits that are typically used in Cuba ransomware attacks:
- Hancitor (Chanitor)
- Remote Desktop Protocol
|Command and Control
Given its high level of activity in late 2021 and throughout 2022, we can expect to see more of Cuba ransomware in the future. Its attacks against high-profile targets show that it isn’t hesitant to go after big fish, while its extensive infrastructure and heavy use of other malware and tools in its routine shows that its operators are professional and have high levels of technical knowledge. Although it is still not as well-known as some other existing ransomware families, we encourage organizations to start taking note of Cuba ransomware and how it operates to minimize the chances of a successful attack occurring.
To protect systems against Cuba ransomware and other similar threats, organizations can implement security frameworks that allocate resources systematically to establish a strong defense strategy against ransomware.
Here are some best practices that organizations can consider to help protect themselves from Cuba ransomware infections:
Audit and inventory
- Take an inventory of assets and data.
- Identify authorized and unauthorized devices and software.
- Audit event and incident logs.
Configure and monitor
- Manage hardware and software configurations.
- Grant admin privileges and access only when necessary to an employee’s role.
- Monitor network ports, protocols, and services.
- Activate security configurations on network infrastructure devices such as firewalls and routers.
- Establish a software allowlist that only executes legitimate applications.
Patch and update
- Conduct regular vulnerability assessments.
- Perform patching or virtual patching for operating systems and applications.
- Update software and applications to their latest versions.
Protect and recover
- Implement data protection, back up, and recovery measures.
- Enable multifactor authentication (MFA).
Secure and defend
- Employ sandbox analysis to block malicious emails.
- Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network.
- Discover early signs of an attack such as the presence of suspicious tools in the system.
- Use advanced detection technologies such as those powered by AI and machine learning.
Train and test
- Regularly train and assess employees on security skills.
- Conduct red-team exercises and penetration tests.
A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can help protect enterprises.
- Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools early on before the ransomware can do irreversible damage to the system.
- Trend Micro Cloud One™ Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.
- Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.
- Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.
Indicators of Compromise (IOCs)
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.