Skip to Content

CISA and FBI: Cuba Ransomware Alert

Updated on 2022-12-03: CISA and FBI: Cuba Ransomware Alert

In a joint advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warn that the Cuba ransomware group has struck more than 100 organizations around the world, and the number of infections in the US has doubled. The advisory is part of the agencies’ #StopRansomware effort. It “updates the December 2021 FBI Flash: Indicators of Compromise Associated with Cuba Ransomware.”


  • Note there is no indication that the Cuba Ransomware actors have any affiliation or connection with the Republic of Cuba. The main targets are financial services, government, healthcare and public health, critical manufacturing, and IT. The attackers use known bugs (CVE-2022-24521, CVE-2020-1472), phishing, compromised credentials and RDP to gain access, then use the Hancitor loader to drop their ransomware. Count this gang in the double ransom category – one payment to decrypt, another to not post your data. Grab the IOCs of the CISA alert, make sure that you’re really doing comprehensive MFA on anything Internet accessible, track patching/updating, prioritizing boundary protection, remote access and Internet facing services. Take a breath, now go back and make sure that your SOC is actively monitoring and responding to abnormal activity, make sure that you’re enabling available security alerts such as impossible logins, refresh your coffee and review the alert for anything else you can do. Hopefully this is all already in place.
  • Fast forward a year from initial warning of this ransomware gang: technical details updated; indicators of compromise updated; TTPs mapped to Mitre ATT&CK; and mitigations updated. Meanwhile the gang continues to exceed its yearly business objectives. The only way to ‘stop ransomware effort’ is to automate the processes around configuration and vulnerability management.
  • We should be resisting ransomware, not looking for it. The window between the initial breach and the success of ransomware is short and shrinking. One is not likely to detect it in this window. At the end of the window, it will announce itself


Updated on 2022-12-02

A joint advisory by the CISA and the FBI revealed that the Cuba ransomware group attacked 100 organizations worldwide, between December 2021 and August 2022, raking in $60 million. Read more: CISA: Cuba ransomware group has stolen $60 million from at least 100 organizations

Updated on 2022-12-01

CISA and the FBI have published a joint report with TTPs for the Cuba ransomware. While the ransomware has been active since December 2021, the two agencies note that this year the ransomware has gone through considerable updates, including what appears to be a working relationship between Cuba operators and the RomCom RAT team and the Industrial Spy ransomware gang. Read more: Alert (AA22-335A) #StopRansomware: Cuba Ransomware

Updated on 2022-10-25

The CERT-UA warned against the rising volume of Cuba ransomware attacks against local critical infrastructure. The attacks are conducted by Tropical Scorpius by using the RomCom backdoor. Read more: The Ukraine Computer Emergency Response Team (CERT-UA) warns of Cuba Ransomware attacks against critical networks in the country.

Overview: Montenegro Ransom

Montenegro got hit with Cuba ransomware and a $10 million demand as part of widescale cyberattacks on the country’s infrastructure. The attackers are likely Russian, and the FBI is helping because Montenegro used to be a Russian ally and is now part of NATO. Read more: Montenegro hit by ransomware attack, hackers demand $10 million

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.