+1 (512) 588 6950

Know Your Adversary: Cuba Ransomware

Home/Know Your Adversary: Cuba Rans...
Know Your Adversary: Cuba Ransomware
Cuba Ransomware — Official Blog Website
Cuba Ransomware — Official Blog Website

Welcome to my “Know Your Adversary” blog series, where I will be explaining about various cyber threats that organizations face in the recent times. From ransomware and malware to trojans and advanced persistent threats, I will be delving into the tactics, techniques, and procedures used by cybercriminals to infiltrate and disrupt systems.

Through this series, my aim is to provide readers with a deeper understanding of the various types of cyber threats that exist, as well as the best practices for defending against them. By staying informed and taking proactive measures, it is possible to reduce the risk of falling victim to these threats and to better protect your systems and data.

So join me as I embark on this journey of exploring the world of cyber threats and learning how to stay one step ahead of the adversary. Together, we can make the internet a safer place for all.

Cuba Ransomware has been making headlines in the cybersecurity community. Cybersecurity & Infrastructure Security Agency and FBI released a joint advisory about ransomware attacks originating from a group referred to as “Cuba.” Over the past year, researchers have observed an increase in the number of businesses and institutions targeted by the group, which researchers believe is in fact based in Russia. Researchers report that Cuba has used malware that was certified by Microsoft in its attacks.

Although Cuba ransomware was first observed in December 2019, it only gained notoriety in November 2021 after an official FBI notice detailed its activities. The FBI and CISA published a joint report in December 2022 indicating that Cuba ransomware actors have compromised over 100 entities worldwide, demanded over USD145 million, and received over USD60 million in ransom payments as of August 2022. As with most modern ransomware operators, they force victims to pay the ransom by using the double extortion technique.There has been no signs of a slowdown in Cuba ransomware activity throughout 2022. Several high-profile attacks have been carried out by the ransomware group, including ones targeting European government institutions. Additionally, its ransomware routine has been continuously improved and new capabilities have been added in order to improve efficiency and effectiveness. In the future, we may see more advanced iterations of this ransomware in light of these incidents and its continuous evolution.

Here is the Dark Web Onion Link for the Official Cuba Ransomware Leak Blog Website: Cuba Official Blog

Source: Trend Micro

Double Extortion:

Malicious actors use double extortion to extort organizations’ data by exfiltrating (sometimes by weaponizing legitimate tools) and threatening to publicize it. It is not uncommon for ransomware operators to release stolen information through underground forums and blogs, as well as dedicated data leak sites. Read this blog to know more about double extortion.

Source: Trend Micro

Here are the TTPs related to to Cuba ransomware:

Resource Development:

  • Compromise Infrastructure: Domains [ T1584.001]

Initial Access:

  • Valid Accounts [T1078]
  • External Remote Services [T1133]
  • Exploit Public-Facing Application [T1190]
  • Phishing [T1566]


  • Command and Scripting Interpreter: PowerShell [T1059.001]
  • Software Deployment Tools [T1072]

Privilege Escalation

  • Exploitation for Privilege Escalation [T1068]

Defense Evasion

  • Impair Defenses: Disable or Modify Tools [T1562.001]

Lateral Movement

  • Remote Services Session: RDP Hijacking [T1563.002]
  • Cuba ransomware actors used RDP sessions to move laterally.

Credential Access

  • Credential Dumping: LSASS Memory [T1003.001]
  • Steal or Forge Kerberos Tickets: Kerberoasting [T1558.003]

Command and Control

  • Proxy: Manipulate Command and Control Communications [T1090]

You can also see additional information about Cuba Ransomware Mitre Att&ck here. Also, check this Mitre Att&ck Navigator for the matrix view.

Here are some of the IOCs related to cuba ransomware:


  • f1103e627311e73d5f29e877243e7ca203292f9419303c661aec57745eb4f26c
  • a7c207b9b83648f69d6387780b1168e2f1eabd23ae6e162dd700ae8112f8b96c
  • 02a733920c7e69469164316e3e96850d55fca9f5f9d19a241fad906466ec8ae8
  • bff4dd37febd5465e0091d9ea68006be475c0191bd8c7a79a44fbf4b99544ef1
  • 857f28b8fe31cf5db6d45d909547b151a66532951f26cda5f3320d2d4461b583
  • ecefd9bb8b3783a81ab934b44eb3d84df5e58f0289f089ef6760264352cf878a

IP Address:

  • 193.23.244[.]244
  • 144.172.83[.]13
  • 216.45.55[.]30
  • 94.103.9[.]79
  • 149.255.35[.]131
  • 217.79.43[.]148
  • 192.137.101[.]46
  • 154.35.175[.]225
  • 222.252.53[.]33


  • magikkey@cock[.]li
  • berkberk@cock[.]li
  • sonom@cock[.]li
  • filebase@cock[.]li
  • cloudkey@cock[.]li
  • frankstore@cock[.]li

Bitcoin Wallets:

  • bc1q4vr25xkth35qslenqwd7aw020w85qrvlrhv7hc
  • bc1q5uc0fdnz0ve5pg4nl4upa9ly586t6wmnghfe7x
  • bc1q6rsj3cn37dngypu5kad9gdw5ykhctpwhjvun3z
  • bc1q6zkemtyyrre2mkk23g93zyq98ygrygvx7z2q0t
  • bc1q9cj0n9k2m282x0nzj6lhqjvhkkd4h95sewek83

Additional IOCs:

Leave a Reply