While several high-profile ransomware gangs saw a steep rise and an equally sharp decline over the last couple of years, Cuba ransomware somewhat slipped under the radar. With the gang behind Cuba ransomware amassing over $40 million during a spate of attacks on critical infrastructure in 2021, it’s important to learn about Cuba’s origins, operations, and victims.
Security researchers first noted Cuba ransomware in early 2020. At the time, there was nothing novel, unique, or overly destructive about Cuba’s operations, nor was the gang particularly prolific.
After initially focusing on traditional ransomware attacks using only encryption, the Cuba gang switched at some point in mid to late 2020 to using double extortion. This operational shift mirrors that of many other ransomware gangs in recent times, seeking to exfiltrate sensitive data and threaten its publication as additional leverage in obtaining larger ransom payments from victims.
Cuba’s attacks focus on systems running Windows OS. The threat actors partner with the proprietary Hancitor malware family, which gets downloaded onto systems and executes or loads other malware, including remote access trojans on target systems.
Initial access to a company’s network usually comes from a phishing email containing a link to a malicious document. The contents of the phishing email attempt to lure victims into opening the file and enabling macros. After enabling macros, the main Hancitor payload gets dropped and executed on the system where it downloads other tools to facilitate lateral movement and exfiltration, such as Cobalt Strike beacons, network scanners, and FickerStealer.
Other initial entry points include using compromised or stolen credentials, targeting Microsoft Exchange vulnerabilities, and exploiting remote desktop protocol tools. After moving laterally, obfuscated custom PowerShell scripts deliver the Cuba ransomware payload on all compromised systems.
Cuba encrypts all files on a system (apart from a select few extensions that are exempt) using the ChaCha 20 cipher and RSA-4096 encryption algorithm. Encrypted files are appended with a .cuba extension. The ransomware file also uses a hardcoded list to switch off various processes, including SQL and Microsoft Exchange services.
Researchers noticed a slightly modified variant of Cuba in April 2022. This new variant doesn’t differ in functionality, but it can switch off more processes and services to improve its evasiveness. Additionally, the variant uses a custom downloader unique to the gang, known as BUGHATCH, which acts as a backdoor into systems. The variant emerged after a brief gap in activity from November 2021 to March 2022, which coincided with a time when authorities in several countries closed in on many high-profile ransomware gangs.
Cuba operates a dark web leak site where visitors are greeted with the message “this site contains information about companies that did not want to cooperate with us. Part of the information is for sale, part is freely available”. Turning exfiltrated data into gated, premium content is an interesting tactic that demonstrates the relentless pursuit of squeezing more profit from double extortion ransomware attacks.
The latest variant of Cuba ransomware also modifies the ransomware note to include a new communication option. Victims can use qTox, which is a privacy-first instant messaging platform, to contact and presumably negotiate with the threat actors. The ransom note also warns victims that they have 3 days to contact the gang before exfiltrated data starts to get uploaded to their dark web Tor site.
Cuba focuses its attacks on sectors such as financial, logistics, government, healthcare, manufacturing, and information technology. The commonality in this diverse range of targets is the critical nature of their operations. North American organizations are most heavily targeted, but the threat actors behind Cuba have also hit European and Asian companies.
In December 2021, the FBI released a flash alert about the emerging threat from Cuba ransomware attacks. The alert highlighted how 49 entities in five critical infrastructure sectors were compromised by Cuba ransomware actors over the course of 2021. From an estimated total ransom demand of $74 million in these attacks, the gang received at least $43.9 million.
The profitability and large proportion of ransom demands paid perhaps reflect the fact that these attacks disrupted critical infrastructure services in which any significant downtime is extremely costly. The flash alert goes on to remind organizations that the FBI does not encourage paying ransoms because there is no guarantee of file recovery and payments embolden other threat actors to carry out similar future attacks.
In February 2021, Seattle-based payment services company Automatic Funds Transfer Services became a victim of Cuba’s ransomware attacks. Exfiltrated data included balance sheets and tax documents. Organizations and government agencies in both California and Washington use AFTS for payment processing, billing, and printing services.
California’s Department of Motor Vehicles is one such organization that had to warn individuals about a potential data breach after the incident. Other affected organizations included an animal shelter in Seattle and several cities in Washington that used AFTS as a billing service provider.
The halt in Cuba’s operations seemed to indicate potential disbandment, but the threat actors spent that time refining and evolving their tactics, techniques, and procedures. Expect Cuba to continue posing a threat to organizations in North America, particularly in critical infrastructure sectors. In the meantime, here are some mitigation tips to help minimize the chances of your company becoming the next Cuba victim: