The FBI and CISA revealed in a new joint security advisory that Cuba’s ransomware gang collected more than $60 million in ransoms in August 2022 after killing more than 100 people worldwide.
This is a follow-up to another notice published a year ago, which warned that the cybercrime group compromise of dozens of organizations of critical infrastructure sectors in the United States, earning more than $40 million since it began targeting American companies.
“Since the release of the December 2021 FBI Flash, the number of US entities compromised by Cuban ransomware has doubled, with ransoms demanded and paid increasing,” the two federal agencies said. warned today.
“The FBI observed that Cuban ransomware actors continued to target U.S. entities in the following five critical infrastructure sectors: financial services, government facilities, healthcare and public health, critical manufacturing, and information technology.”
According to FBI estimates, Cuban hackers compromised more than 100 entities worldwide through August, collecting at least $60 million in ransom payments after demanding more than $145 million.
The FBI and CISA added that the ransomware gang has expanded its tactics, techniques, and procedures (TTPs) since the start of the year and has been linked to the RomCom Remote Access Trojan (RAT) and Industrial Spy ransomware (like BleepingComputer first reported in May).
While the advisory paints a grim picture, samples submitted to the ID-Ransomware platform for analysis show that the gang is not very active, showing that even a somewhat inactive ransomware operation can have a huge impact on its victims.
Malware Downloader Delivery
Cuba ransomware payloads are delivered by Hancitorallowing operators to more easily access previously compromised corporate networks.
The Hancitor malware downloader (Chancitor) is known to drop infostealers, remote access Trojans (RATs) and other types of ransomware on infected systems.
The malware is delivered to victim systems via phishing emails, stolen credentials, Microsoft Exchange exploits, or Remote Desktop Protocol (RDP) tools.
After gaining a foothold on infected devices within their targets’ networks, Cuban ransomware threat actors use legitimate Windows services (e.g., PowerShell, PsExec, and various other unspecified services) to deploy payloads remotely and encrypt files using the “.cuba” extension.
In today’s advisory, the FBI asked those who detect Cuba ransomware activity within their networks to share related information with their local FBI Cyber Squad.
Useful information that could help identify members of the ransomware gang and the cybercriminals they are working with includes “delimitation logs showing communications to and from foreign IP addresses, sample ransom note, communications with actors ransomware, bitcoin wallet information, decryption files and/or a benign sample of an encrypted file.”
The FBI added that while it does not encourage ransomware payments because there is no guarantee that payment will prevent data leaks or future attacks, victims should report attacks as soon as possible to their local FBI field offices.
Organizations at risk of being targeted by this ransomware operation are advised to prioritize patching known exploited vulnerabilities, train their employees and users to spot and report phishing attacks, and apply multi-factor authentication (MFA) in their environment.