The FBI and CISA revealed in a new joint security advisory that the Cuba ransomware gang raked in over $60 million in ransoms as of August 2022 after breaching more than 100 victims worldwide.
This is a follow-up to another advisory issued one year ago, which warned that the cybercrime group compromised dozens of organizations from U.S. critical infrastructure sectors, making over $40 million since it started targeting U.S. companies.
“Since the release of the December 2021 FBI Flash, the number of U.S. entities compromised by Cuba ransomware has doubled, with ransoms demanded and paid on the increase,” the two federal agencies warned today.
“FBI has observed Cuba ransomware actors continuing to target U.S. entities in the following five critical infrastructure sectors: Financial Services, Government Facilities, Healthcare and Public Health, Critical Manufacturing, and Information Technology.”
Per FBI’s estimations, Cuba ransomware threat actors compromised over 100 entities worldwide until August, collecting at least $60 million in ransom payments after demanding over $145 million.
FBI and CISA added that the ransomware gang has expanded its tactics, techniques, and procedures (TTPs) since the start of the year and has been linked to the RomCom Remote Access Trojan (RAT) and Industrial Spy ransomware (as BleepingComputer first reported in May).
While the advisory paints a grim picture, samples submitted to the ID-Ransomware platform for analysis show the gang is not very active, showing that even a somewhat inactive ransomware operation can have a huge impact on its victims.
Malware downloader delivery
Cuba ransomware payloads are being delivered through Hancitor, allowing the operators to gain easier access to previously compromised enterprise networks.
The Hancitor (Chancitor) malware downloader is known for dropping information stealers, Remote Access Trojans (RATs), and other types of ransomware on infected systems.
The malware is being delivered to victims’ systems via phishing emails, stolen credentials, Microsoft Exchange exploits, or Remote Desktop Protocol (RDP) tools.
After gaining a foothold on infected devices within their targets’ networks, Cuba ransomware threat actors use legitimate Windows services (e.g., PowerShell, PsExec, and various other unspecified services) to deploy payloads remotely and encrypt files using the “.cuba” extension.
In today’s advisory, the FBI asked those who detect Cuba ransomware activity within their networks to share related information with their local FBI Cyber Squad.
Useful information that could help identify the ransomware gang’s members and the cybercriminals they work with includes “boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with ransomware actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.”
The FBI added that, while it does not encourage ransomware payments because there’s no guarantee that paying prevents data leaks or future attacks, victims should report attacks as soon as possible to their local FBI field offices.
Organizations at risk of being targeted by this ransomware operation are advised to prioritize patching known exploited vulnerabilities, train their employees and users to spot and report phishing attacks and enforce multi-factor authentication (MFA) across their environment.