Digital Extortion Nets Criminial Gang $60 Million(@prajeetspeaks) o
December 2, 2022 A kitschy revoluntionary mural in Havana, Cuba. (Image: Library of Congress)
Extortion demands by operators of Cuba ransomware have netted $60 million for the criminal gang, estimates the U.S. federal government in a warning that number of American entities falling victim to its attacks has doubled over the past year.
Cuba operators actively target critical infrastructure sectors including financial institutions, government buildings, the healthcare sector, manufacturing and information technology. The gang is yet another ransomware outfit in which attackers steal data before leaving systems maliciously encrypted, then leak the data to try and force recalcitrant victims to pay. The gang earns its name from the “.cuba” extension it adds to encrypted files and its predilection from revolutionary-kitsch artwork.
There is no indication that it has any connection with the country of the same name, says the FBI and the Cybersecurity and Infrastructure Agency in in a joint advisory.
The FBI spotted Cuba ransomware actors compromising more than 100 entities worldwide. Among its victims: the government of Montenegro, which in August took offline multiple government websites and services amid what officials characterize as a targeted cyberattack (see: Cuba Ransomware Gang Takes Credit for Attacking Montenegro).
The latest warning is a follow-up to a December 2021 FBI alert published by the FBI that pegged Cuba’s extortion haul at $43.9 million.
The group has modified its techniques over the past half year, the two agencies say, noting reports about an apparent link between Cuba ransomware actors and RomCom RAT actors, and Industrial Spy ransomware actors.
The agencies cite a report from Palo Alto Networks finding that Cuba uses RomCom for command and control and that around May, Cuba began selling its data on Industrial Spy’s online market for selling stolen data.
The agencies also say Industrial Spy ransomware shares distinct similarities in configuration to Cuba ransomware and that reporting about a compromise of a foreign healthcare company noted that Cuba deployed the RomCom RAT.
The Palo Alto report notes that Cuba has exploited CVE-2022-24521 in the Windows Common Log File System driver to steal system tokens and elevate privileges, used PowerShell script for reconnaissance, deployed a tool called KerberCache to crack Kerberos tickets offline via Kerberoasting exploited CVE-2020-1472 to gain administrative privileges (see: Windows Common Log File System Driver 0-Day Gets a Close-Up).
The alert also warns that Cuba has used a dropper that writes a kernel driver to the file system called ApcHelper.sys, which targets and terminates security products. The dropper was not signed, but the kernel driver was signed using the certificate found in the LAPSUS NVIDIA leak.