CISA and FBI: Cuba Ransomware Alert

Updated on 2022-12-03: CISA and FBI: Cuba Ransomware Alert

In a joint advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warn that the Cuba ransomware group has struck more than 100 organizations around the world, and the number of infections in the US has doubled. The advisory is part of the agencies’ #StopRansomware effort. It “updates the December 2021 FBI Flash: Indicators of Compromise Associated with Cuba Ransomware.”

Note

• Note there is no indication that the Cuba Ransomware actors have any affiliation or connection with the Republic of Cuba. The main targets are financial services, government, healthcare and public health, critical manufacturing, and IT. The attackers use known bugs (CVE-2022-24521, CVE-2020-1472), phishing, compromised credentials and RDP to gain access, then use the Hancitor loader to drop their ransomware. Count this gang in the double ransom category – one payment to decrypt, another to not post your data. Grab the IOCs of the CISA alert, make sure that you’re really doing comprehensive MFA on anything Internet accessible, track patching/updating, prioritizing boundary protection, remote access and Internet facing services. Take a breath, now go back and make sure that your SOC is actively monitoring and responding to abnormal activity, make sure that you’re enabling available security alerts such as impossible logins, refresh your coffee and review the alert for anything else you can do. Hopefully this is all already in place.
• Fast forward a year from initial warning of this ransomware gang: technical details updated; indicators of compromise updated; TTPs mapped to Mitre ATT&CK; and mitigations updated. Meanwhile the gang continues to exceed its yearly business objectives. The only way to ‘stop ransomware effort’ is to automate the processes around configuration and vulnerability management.
• We should be resisting ransomware, not looking for it. The window between the initial breach and the success of ransomware is short and shrinking. One is not likely to detect it in this window. At the end of the window, it will announce itself

Read more in

• Alert (AA22-335A) #StopRansomware: Cuba Ransomware
• FBI warns about Cuba, no, not that one — the ransomware gang
• Cuba ransomware infections of US organizations have doubled in last year, feds say

Updated on 2022-12-02

A joint advisory by the CISA and the FBI revealed that the Cuba ransomware group attacked 100 organizations worldwide, between December 2021 and August 2022, raking in $60 million. Read more: CISA: Cuba ransomware group has stolen $60 million from at least 100 organizations

Updated on 2022-12-01

CISA and the FBI have published a joint report with TTPs for the Cuba ransomware. While the ransomware has been active since December 2021, the two agencies note that this year the ransomware has gone through considerable updates, including what appears to be a working relationship between Cuba operators and the RomCom RAT team and the Industrial Spy ransomware gang. Read more: Alert (AA22-335A) #StopRansomware: Cuba Ransomware

Updated on 2022-10-25

The CERT-UA warned against the rising volume of Cuba ransomware attacks against local critical infrastructure. The attacks are conducted by Tropical Scorpius by using the RomCom backdoor. Read more: The Ukraine Computer Emergency Response Team (CERT-UA) warns of Cuba Ransomware attacks against critical networks in the country.

Overview: Montenegro Ransom

Montenegro got hit with Cuba ransomware and a $10 million demand as part of widescale cyberattacks on the country’s infrastructure. The attackers are likely Russian, and the FBI is helping because Montenegro used to be a Russian ally and is now part of NATO. Read more: Montenegro hit by ransomware attack, hackers demand $10 million