Ransomware Cuba

 



About Cuba Ransomware

Russia-based Cuba ransomware is one of the world's most profitable ransomware outfits. It mainly targets USA and its organizations.  It was discovered in 2019. According to data, this threat group have compromised 101 entities (65 in the US and 36 elsewhere) till now. They have already demanded a total of $145 million in ransom payments and received around $60 million. It is affiliated with the small but disproportionately high-impact threat actors RomCom and Industrial Spy. 

Cuba uses less sophisticated standard commercial software packing techniques confirming it to be a product of a small but talented group of profit-seeking individuals. It is deployed selectively via a big game hunting strategy. It generally targets some high-profile financial services organizations, government sector, healthcare sector, critical infrastructure and IT sector. 

Reportedly, Cuba operators delivers decryption packages to decrypt the files of a victims when the said ransom is paid. However, for those who refuse to pay the ransom, they use double-extortion tactic and can also publish the stolen data and documents after the refusal.

How does Cuba attacks?

When Cuba was first discovered, there was no evidence of any prior failed login attempts or any kind of brute-forcing or exploitation of vulnerabilities. However, researchers from BlackBerry found out that these threat actors had previously used initial access brokers to obtain credentials. 

After intruding the network, Cuba deploys its own custom-made downloader, BUGHATCH. This downloader then connects to a command-and-control (C2) server and starts downloading the attacker's payload. 

Cuba also uses another interesting malware named BURNTCIGAR, which can carry out Bring Your Own Vulnerable Driver (BYVOD) attacks. This one can easily exploit the input-output control codes to terminate kernel-level processes en masse. BURNTCIGAR has eliminated more than 200 processes associated with anti-malware endpoint products. 

Cuba is also known for stealthily covering its tracks inside a network for more than two months before taking out anti-malware and endpoint protections. 

Prevention

General methods to combat a ransomware attack are as follows-
  • Mandatory strong password policies and multi-factor authentication for all critical services.
  • Use updated or modern Identity and Access Management (IAM) tools.
  • Employ advanced endpoint security products on all endpoints.
  • Regularly update all the software and operating systems. 
  • Have the least privilege approach to security, including the removal of all the unnecessary access to administrative shares and other services.
  • Administer a solid backup strategy including offline, encrypted, and immutable backup of data.


























































Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)