Cuba Ransomware Targeting Critical Infrastructure, Feds WarnDigital Extortion Nets Criminal Gang $60 Million
Extortion demands by operators of Cuba ransomware have netted $60 million for the criminal gang, estimates the U.S. federal government in a warning that the number of American entities falling victim to the gang's attacks has doubled over the past year.
Cuba operators actively target critical infrastructure sectors including financial institutions, government buildings, the healthcare sector, manufacturing and information technology. The gang is yet another ransomware outfit in which attackers steal data before leaving systems maliciously encrypted and then leak the data to try and force recalcitrant victims to pay. The gang earns its name from the
.cuba extension it adds to encrypted files and its predilection from revolutionary-kitsch artwork.
There is no indication that the group has any connection with the country of the same name, say the FBI and the Cybersecurity and Infrastructure Security Agency in a joint advisory.
The FBI spotted Cuba ransomware actors compromising more than 100 entities worldwide. Among their victims was the government of Montenegro, which in August took offline multiple government websites and services amid what officials characterize as a targeted cyberattack (see: Cuba Ransomware Gang Takes Credit for Attacking Montenegro).
The latest warning is a follow-up to a December 2021 FBI alert that pegged Cuba's extortion haul at $43.9 million.
The group has modified its techniques over the past half year, the two agencies say, noting reports about an apparent link between Cuba ransomware actors and RomCom RAT actors and Industrial Spy ransomware actors.
The agencies cite a report from Palo Alto Networks finding that Cuba uses RomCom for command and control and that around May, Cuba began selling its data on Industrial Spy’s online market for selling stolen data.
The agencies also say Industrial Spy ransomware shares distinct similarities in configuration to Cuba ransomware and that reporting about a compromise of a foreign healthcare company noted that Cuba had deployed the RomCom RAT.
The Palo Alto report says that Cuba has exploited CVE-2022-24521 in the Windows Common Log File System driver to steal system tokens and elevate privileges, used PowerShell script for reconnaissance, deployed a tool called KerberCache to crack Kerberos tickets offline via Kerberoasting, and exploited CVE-2020-1472 to gain administrative privileges (see: Windows Common Log File System Driver 0-Day Gets a Close-Up).
The alert also warns that Cuba has used a dropper that writes a kernel driver to the file system called ApcHelper.sys, which targets and terminates security products. The dropper was not signed, but the kernel driver was signed using the certificate found in the LAPSUS NVIDIA leak.