The Federal Bureau of Investigation (FBI) warned that the Cuba ransomware gang earned more than $43.9 million in ransom after compromising at least 49 critical infrastructure entities.
Despite its name, cyber forensic experts believe that the Cuba ransomware gang is based in Russia, a country suspected of harboring most cybercriminals.
According to the FBI, Cuba ransomware gang victims include (but are not limited to) organizations in the financial, government, healthcare, manufacturing, and information technology sectors.
The FBI noted that Cuba ransomware actors had demanded up to $74 million in ransom payments.
Cuba ransomware gang partners with Hancitor malware operators
The FBI traced Cuba ransomware infection to Hancitor malware that leverages phishing campaigns, Microsoft Exchange vulnerabilities, compromised credentials, and brute-forcing remote desktop protocol (RDP) tools.
The malware gang adds compromised devices to a botnet to run a malware-as-a-service (MaaS) infrastructure and shares it with other ransomware groups.
“Cuba ransomware is distributed through Hancitor malware, a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims’ networks,” the FBI wrote.
McAfee noted the lack of any evidence in April to connect the two groups, suggesting that the collaboration was a new partnership.
FBI publishes the indicators of compromise and TPPs employed by the Cuba ransomware gang
The FBI released the indicators of compromise (IoCs) and the tactics, techniques, and procedures (TTPs) employed by the ransomware gang to assist organizations to defend against Cuba ransomware attacks.
According to the FBI flash alert, the Cuba ransomware gang employs legitimate Windows services such as PowerShell, PsExec, etc, and Windows admin privileges to execute their malware before dropping a Cobalt Strike beacon.
Additionally, the malware drops two additional payloads “pones.exe” to steal passwords and “krots.exe” to write to the temporary “TMP” file. The file contains API calls related to memory injection.
“One of the initial PowerShell script functions allocates memory space to run a base64-encoded payload,” according to the FBI.
The “krots.exe” file is deleted after the TMP file is successfully uploaded to a command-and-control server. On execution, the TMP file deletes itself and the compromised network begins communicating with C2 servers.
“Once this payload is loaded into memory, it can be used to reach the remote command-and-control (C2) server and then deploy the next stage of files for the ransomware. The remote C2 server is located at the malicious URL kurvalarva.com,” the FBI explained.
Cuba ransomware gang also uses Mimikatz to steal login credentials and signs into the compromised network using an RDP connection. Initially, the ransomware group used various infostealers such as Vawtrak and Ficker to steal passwords.
Lastly, Cuba ransomware corrupts documents and appends a “.cuba” extension to the encrypted files.
“Cuba ransomware is known to targets victims’ personal files such as photos, videos, and documents,” said Anurag Gurtu, CPO at StrikeReady. “This attack involves using CryptGenRandom API call to generate keys for encryption of files using a custom algorithm. It’s not uncommon to see this ransomware gang using a Russian linked malware – Hancitor, aka Chanitor malware.”
Gurtu further noted that Hancitor spreads through social engineering campaigns involving weaponized Microsoft Office documents with macros.
“And its attack chain often begins with the threat actor sending out fake DocuSign malspam emails, which results in a victim unknowingly downloading a Trojanized Microsoft Word document,” he continued. “Once the fake DocuSign document is opened and its malicious macro code is allowed to run, Hancitor will reach out to its command and control (C2) infrastructure to receive a malicious URL containing a sample of Ficker to download.”
How to protect critical infrastructure entities from Cuba ransomware attacks
The FBI alert did not identify specific critical infrastructure entities and government agencies compromised by the Cuba ransomware gang.
However, some past victims include the Seattle-based payment processor Automatic Funds Transfer Services. AFTS provides printing, billing, and payment services to California’s Department of Motor Vehicles. The breach not only affected California DMV but also several Washington cities such as Redmond, Auburn, Kirkland, Lynnwood, Puyallupa, and Monroe.
The FBI advised critical infrastructure entities and other organizations to implement security best practices. The agency recommended using strong passwords, enabling multi-factor authentication, and patching operating systems and applications on time to prevent potential compromise.
Additionally, the critical infrastructure operators should regularly back up data, maintain offline copies, and remove unnecessary network shares. They should also implement network segmentation and cyber incident recovery plans.