The Cuba ransomware operation has returned to regular operations with a new version of its malware found used in recent attacks.
Cuba ransomware’s activity reached a peak in 2021 when it partnered with the Hancitor malware gang for initial access. By the end of the year, it had breached 49 critical infrastructure organizations in the United States.
This year started less impressive for the ransomware gang, with few new victims. However, Mandiant spotted signs of tactical changes and experimentation that indicated the group is still active.
Now, Trend Micro analysts report seeing a resurgence in Cuba infections, starting in March and continuing strong until April 2022.
Cuba has listed three victims in April and one in May on its Tor site. However, the attacks that resulted in the publication of these files likely unfolded earlier.
While these aren’t impressive figures compared to other ransomware operations, “Cuba” is generally more selective, hitting only large organizations.
New variant discovered
In late April, a new binary sampled by Trend Micro included minor additions and changes that make the malware more dangerous for targeted entities. More importantly, though, it shows that the operation is still alive and actively developing its encryptor.
While the updates to Cuba ransomware did not change much in terms of overall functionality, we have reason to believe that the updates aim to optimize its execution, minimize unintended system behavior, and provide technical support to the ransomware victims if they choose to negotiate. – Trend Micro
The malware now terminates more processes before encryption, including Outlook, MS Exchange, and MySQL. Ransomware encryptors terminate services to prevent those applications from locking files and preventing them from being encrypted.
Secondly, the exclusion list has been expanded with more directories and filetypes to be skipped during encryption. This helps maintain a working system after the attack and prevents execution loops that may result in corrupted files that can’t be restored, leaving victims with no incentive to pay for a decrypter.
Thirdly, the gang has updated its ransom notes, adding quTox for live victim support and stating that the threat actors will publish all stolen data on the Tor site if the demands aren’t met within three days.
The refinement of the Cuba ransomware variant can only mean that the group will continue to be a threat to organizations in the following months, mainly those located in North America.
Cuba ransomware remains secure at this time, so there’s no available decryptor that victims can use to recover their files for free.
Therefore, taking regular data backups, implementing network segmentation, and keeping all systems up to date would be the best approach to dealing with the threat.