Cuba Ransomware Obtained $44 Million in Ransom Payments
Cuba Ransomware Gang Impacted at Least 49 Critical Infrastructure Organizations, According to the FBI.
In a new flash alert, the FBI has warned about Cuba ransomware, a threat actor that as of early November 2021 impacted roughly 50 organizations in five critical infrastructure sectors including financial, government, healthcare, manufacturing and information technology sectors.
According to the federal agency, the hacking group managed to obtain approximately $44 million in ransom payments.
Cuba ransomware actors have demanded at least US $74 million and received at least US $43.9 million in ransom payments.
The fact that the Cuba ransomware threat actor initially demanded 74$ M but got only 44$ M shows that some businesses are willing to pay a ransom while others prefer to report the ransomware attacks and not pay a dime.
Although the FBI did not name any specific victims, it did warn last month that the gang is focusing on tribal casinos across the United States.
Cuba Ransomware M.O.
As explained by the bureau, the ransomware is distributed via Hancitor malware, also known as Tordal and Chanitor. Hancitor is a loader that has been around since 2014 and it is distributed by its developers through malspam.
This loader is notorious for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims’ networks.
In order to obtain initial access to their target’s network, Hancitor malware creators use:
- phishing emails,
- Microsoft Exchange vulnerabilities,
- compromised credentials,
- legitimate Remote Desktop Protocol (RDP).
Subsequently, Cuba ransomware actors use legitimate Windows services—such as PowerShell, PsExec, and other unspecified services—and then leverage Windows Admin privileges to execute their ransomware and other processes remotely.
When a victim’s machine is infected, the ransomware installs and runs a CobaltStrike beacon, as well as two executable files. Threat actors can use the two files to get passwords and “write to the compromised system’s temporary (TMP) file.”
Once the TMP file is uploaded, the ‘krots.exe’ file is deleted, and the TMP file is executed in the compromised network. The TMP file includes Application Programming Interface (API) calls related to memory injection that, once executed, deletes itself from the system.
Upon deletion of the TMP file, the compromised network begins communicating with a reported malware repository located at Montenegro-based Uniform Resource Locator (URL) teoresp.com.
The FBI also noted that the Cuba ransomware also employs the open-source credential-dumping tool MimiKatz to collect credentials and then use RDP to connect into the hacked network host with a specific user account.
Once an RDP connection is complete, the Cuba ransomware actors use the CobaltStrike server to communicate with the compromised user account. One of the initial PowerShell script functions allocates memory space to run a base64-encoded payload. Once this payload is loaded into memory, it can be used to reach the remote command-and-control (C2) server and then deploy the next stage of files for the ransomware. The remote C2 server is located at the malicious URL kurvalarva.com.
Ransomware Attacks Likely to Happen During Holidays and Weekends
This flash alert follows a warning from the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) that reminded critical infrastructure firms that malicious actors will probably be “at work” during the holiday season.
Even though neither CISA nor the FBI has detected any specific threats as of yet, recent trends in 2021 show hackers launching significant and destructive ransomware attacks during weekends and holidays, including Mother’s Day and Independence Day weekends.
In order to lessen the chance of being compromised by Cuba ransomware, the FBI advises network administrators to use the following mitigations:
- Require all accounts with password logins to have strong, unique passwords;
- Require multi-factor authentication for all services to the extent possible;
- Keep all operating systems and software up to date;
- Remove unnecessary access to administrative shares;
- Segment networks to prevent the spread of ransomware;
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool;
- Implement time-based access for accounts set at the admin level and higher;
- Maintain offline backups of data, and regularly maintain backup and restoration;
- Ensure all backup data is encrypted, immutable.
How Can Heimdal™ Help?
In the fight against ransomware, Heimdal™ Security is offering its customers an outstanding integrated cybersecurity suite including the Ransomware Encryption Protection module, that is universally compatible with any antivirus solution, and is 100% signature-free, ensuring superior detection and remediation of any type of ransomware, whether fileless or file-based (including the most recent ones like LockFile).
Heimdal™ Ransomware Encryption Protection
- Blocks any unauthorized encryption attempts;
- Detects ransomware regardless of signature;
- Universal compatibility with any cybersecurity solution;
- Full audit trail with stunning graphics;