The FBI has raised an alarm about the Cuba ransomware gang compromising critical infrastructure companies at an alarming rate and with great success. The cybercriminals have extracted at least $43.9 million in ransom payments from at least 49 entities in five critical infrastructure sectors over the past year.
Not too long ago, law enforcement agencies broadcasted a string of significant successes in the fight against ransomware cartels. These included the dismantling of DarkSide, BlackMatter, and REvil ransomware infrastructures and sanctioning a Russian cryptocurrency exchange frequented by cybercriminals. However, as we saw in the case of REvil, ransomware operators have mastered the art of setting up new criminal infrastructure as soon as existing ones are dismantled.
Which is why the collection of vast amounts of money by cybercriminals in the form of ransom in untraceable cryptocurrency continues unabated. In October, the U.S. Treasury Department said that victim organizations paid a total of $590 million to ransomware operators in the first six months of 2021. A Mimecast survey also revealed that 39% of organizations paid a ransom to restore operations, with U.S.-based organizations paying $6,312,190 on average.
Earlier in December, the FBI raised an alertOpens a new window about a rarely-heard-before but powerful ransomware gang prowling around the critical infrastructure street. The Cuba ransomware gang, it said, compromised at least 49 entities in five critical infrastructure sectors by early November. Targeting financial, government, healthcare, manufacturing, and IT organizations, the gang demanded $74 million and received at least $43.9 million in ransom payments.
See More: 700M Attacks in 2021 and Counting: Can Businesses Fight the Ransomware Tsunami?
The scale of the attack, which also led to AFTS’ clients suffering large-scale breaches, immediately put the ransomware gang under the spotlight. Even though it curiously chose the name Cuba and used pictures of Fidel Castro and Ernesto Che Guevara in its branded images, the gang is possibly composedOpens a new window of Russian-speaking cybercriminals. In May, Israeli cybersecurity firms Profero and Security Joes said they spotted a typo made by the gang during a conversation with one of its victims. The typo indicated the gang was translating words like ‘server’ from Russian to English.
The two firms also found evidence to conclude that the Cuba ransomware gang wasn’t state-sponsored. “We believe the attackers are not state-sponsored, instead operating simply as a threat group. They are fast-acting, and seem to prefer to communicate via email — they generally launch their attacks by setting up email accounts to initiate communication a few days in advance of deploying ransomware,†the firms said.
Mode of Attack
According to the FBI, the Cuba ransomware gang leverages tried-and-tested attack techniques to conduct successful ransomware infiltration. These techniques often combine targeted phishing emails with malware loaders, PowerShell scripts, and executable files. While phishing remains the preferred vector for the gang, it also exploits Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to infiltrate IT networks.
The initial payload that drops the Cuba ransomware in infiltrated networks is the Hancitor malware, a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other kinds of malware. Once the ransomware makes it inside a network, the gang uses legitimate Windows services, such as PowerShell, PsExec, and other unspecified services and leverages Windows Admin privileges to execute it.
Once it is installed, Cuba downloads two executable files, one of which is then used by the gang to write to the system’s TMP file. The updated TMP file is uploaded and executed to enable the system to communicate with a remote malware repository. The gang also leverages the Mimikatz malware to steal credentials, uses stolen credentials to log in to the compromised host network, and communicates with it using a CobaltStrike server.
See More: Russian Darknet Forum RAMP Reemerges With Chinese-speaking Hackers At the Wheel
Is There a Way to Stop It?
Like every other ransomware variant, Cuba uses tried-and-tested infiltration techniques that involve the exploitation of software vulnerabilities, the vulnerable human factor, and poor security controls to infiltrate IT networks and encrypt files. As such, organizations should devote attention to practicing cyber hygiene aside from deploying robust security solutions.
First, the FBI recommends that organizations authenticate all accounts with password logins and enable multi-factor authentication to prevent intrusions. They should remove unnecessary access to administrative shares, especially ADMIN$ and C$, and use host-based firewalls to allow connections to administrative shares via SMBÂ from a limited set of administrator machines. Keeping all operating systems and software up to date should also be the foremost priority.
To prevent malicious actors from mapping systems and networks, organizations should segment networks to control traffic flows between various sub-networks and restrict adversary lateral movement. Network monitoring tools, such as Endpoint detection and response (EDR) tools, can help detect ransomware early to enable organizations to stop the threat right at the outset. Organizations can also disable command-line and scripting activities, maintain offline backups, and implement time-based access to accounts with admin privileges to prevent third-party access to network resources.Â
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!