The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint cybersecurity warning concerning the Cuba Ransomware and have provided information on the tactics, techniques, and procedures (TTPs) utilized by the ransomware group, together with Indicators of Compromise (IoCs) to help system defenders strengthen their defenses against ransomware attacks and quickly identify computer attacks. The Health Sector Cybersecurity Coordination Center states the ransomware group presents an enormous risk to the medical care and public health field.
The Cuba ransomware gang has launched double the attacks in America since December 2021, and has gotten increased ransom payments. Worldwide, over 100 companies were attacked by the group and over $145 million in ransom demands were given. The group got no less than $60 million in ransom payments. The Cuba ransomware group attacks critical infrastructure companies. About 65 critical infrastructure organizations were attacked in America, which include those in medical care and public health, financial services, government facilities, information technology, and critical manufacturing.
As per CISA and the FBI, there are commonalities between the system utilized by the Cuba ransomware group and the RomCom RAT and Industrial Spy ransomware actors. The group utilizes RomCom to order and control the ransomware and the Industrial Spy actors’ online market to sell the stolen information when victims do not give ransom payments. In one attack, the Cuba ransomware group used the RomCom RAT on the system of a medical organization, indicating a strong connection between these three groups. The group is likewise identified to employ a dropper that was signed utilizing the same certification that was seen in the LAPSUS NVIDIA data leak.
To obtain preliminary access to victims’ systems, the Cuba ransomware gang utilizes a number of methods, such as exploiting vulnerabilities in an unpatched commercial application. for example CVE-2020-1472 (ZeroLogon), CVE-2022-24521 (Windows Common Log File System), phishing, exposed credentials, and remote desktop protocol (RDP) solutions. As soon as access is acquired, the ransomware is sent out utilizing a loader known as Hancitor, which is likewise employed for downloading data stealers RATs, as well as other malicious payloads. Prior to executing file encryption, the group extracts information to compel victims into giving the ransom payments.
CISA and the FBI earlier released a security notification regarding the ransomware gang in December 2021; nonetheless, the gang has altered its TTPs, which were included in the most recent security warning: https://www.cisa.gov/uscert/ncas/alerts/aa22-335a, besides IoCs, MITRE ATT&CK techniques, and suggested mitigations.