Home » Cuba Ransomware Targeting Critical Infrastructure, Feds Warn

Cuba Ransomware Targeting Critical Infrastructure, Feds Warn

0 comment

Fraud Management & Cybercrime

Digital Extortion Nets Criminial Gang $60 Million(@prajeetspeaks) o
December 2, 2022 A kitschy revoluntionary mural in Havana, Cuba. (Image: Library of Congress)

Extortion demands by operators of Cuba ransomware have netted $60 million for the criminal gang, estimates the U.S. federal government in a warning that number of American entities falling victim to its attacks has doubled over the past year.

See Also: Live Webinar How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies

Cuba operators actively target critical infrastructure sectors including financial institutions, government buildings, the healthcare sector, manufacturing and information technology. The gang is yet another ransomware outfit in which attackers steal data before leaving systems maliciously encrypted, then leak the data to try and force recalcitrant victims to pay. The gang earns its name from the “.cuba” extension it adds to encrypted files and its predilection from revolutionary-kitsch artwork.

There is no indication that it has any connection with the country of the same name, says the FBI and the Cybersecurity and Infrastructure Agency in in a joint advisory.

The FBI spotted Cuba ransomware actors compromising more than 100 entities worldwide. Among its victims: the government of Montenegro, which in August took offline multiple government websites and services amid what officials characterize as a targeted cyberattack (see: Cuba Ransomware Gang Takes Credit for Attacking Montenegro).

The latest warning is a follow-up to a December 2021 FBI alert published by the FBI that pegged Cuba’s extortion haul at $43.9 million.

The group has modified its techniques over the past half year, the two agencies say, noting reports about an apparent link between Cuba ransomware actors and RomCom RAT actors, and Industrial Spy ransomware actors.

The agencies cite a report from Palo Alto Networks finding that Cuba uses RomCom for command and control and that around May, Cuba began selling its data on Industrial Spy’s online market for selling stolen data.

The agencies also say Industrial Spy ransomware shares distinct similarities in configuration to Cuba ransomware and that reporting about a compromise of a foreign healthcare company noted that Cuba deployed the RomCom RAT.

The Palo Alto report notes that Cuba has exploited CVE-2022-24521 in the Windows Common Log File System driver to steal system tokens and elevate privileges, used PowerShell script for reconnaissance, deployed a tool called KerberCache to crack Kerberos tickets offline via Kerberoasting exploited CVE-2020-1472 to gain administrative privileges (see: Windows Common Log File System Driver 0-Day Gets a Close-Up).

The alert also warns that Cuba has used a dropper that writes a kernel driver to the file system called ApcHelper.sys, which targets and terminates security products. The dropper was not signed, but the kernel driver was signed using the certificate found in the LAPSUS NVIDIA leak.

You may also like

Leave a Comment


Cybernonstop is created to bring news and knowledge through articles to visitors.

Do not forget to subscribe.

Laest News

@2021 – All Right Reserved. Designed and Developed by PenciDesign