Welcome to my “Know Your Adversary” blog series, where I will be explaining about various cyber threats that organizations face in the recent times. From ransomware and malware to trojans and advanced persistent threats, I will be delving into the tactics, techniques, and procedures used by cybercriminals to infiltrate and disrupt systems.
Through this series, my aim is to provide readers with a deeper understanding of the various types of cyber threats that exist, as well as the best practices for defending against them. By staying informed and taking proactive measures, it is possible to reduce the risk of falling victim to these threats and to better protect your systems and data.
So join me as I embark on this journey of exploring the world of cyber threats and learning how to stay one step ahead of the adversary. Together, we can make the internet a safer place for all.
Cuba Ransomware has been making headlines in the cybersecurity community. Cybersecurity & Infrastructure Security Agency and FBI released a joint advisory about ransomware attacks originating from a group referred to as “Cuba.” Over the past year, researchers have observed an increase in the number of businesses and institutions targeted by the group, which researchers believe is in fact based in Russia. Researchers report that Cuba has used malware that was certified by Microsoft in its attacks.
Although Cuba ransomware was first observed in December 2019, it only gained notoriety in November 2021 after an official FBI notice detailed its activities. The FBI and CISA published a joint report in December 2022 indicating that Cuba ransomware actors have compromised over 100 entities worldwide, demanded over USD145 million, and received over USD60 million in ransom payments as of August 2022. As with most modern ransomware operators, they force victims to pay the ransom by using the double extortion technique.There has been no signs of a slowdown in Cuba ransomware activity throughout 2022. Several high-profile attacks have been carried out by the ransomware group, including ones targeting European government institutions. Additionally, its ransomware routine has been continuously improved and new capabilities have been added in order to improve efficiency and effectiveness. In the future, we may see more advanced iterations of this ransomware in light of these incidents and its continuous evolution.
Here is the Dark Web Onion Link for the Official Cuba Ransomware Leak Blog Website: Cuba Official Blog
Malicious actors use double extortion to extort organizations’ data by exfiltrating (sometimes by weaponizing legitimate tools) and threatening to publicize it. It is not uncommon for ransomware operators to release stolen information through underground forums and blogs, as well as dedicated data leak sites. Read this blog to know more about double extortion.
Here are the TTPs related to to Cuba ransomware:
Resource Development:
Initial Access:
Execution
Privilege Escalation
Defense Evasion
Lateral Movement
Credential Access
Command and Control
You can also see additional information about Cuba Ransomware Mitre Att&ck here. Also, check this Mitre Att&ck Navigator for the matrix view.
Here are some of the IOCs related to cuba ransomware:
