Cuba Ransomware Actors Pocket $60m

A leading US security agency has warned of the continued threat posed by the Cuba ransomware variant, which has made its affiliates and developers $60m as of August.

The US Cybersecurity and Infrastructure Security Agency (CISA) revealed in a new alert that the ransomware has compromised at least 100 entities worldwide, having doubled its victim count in the US since last December.

The group and its affiliates mainly target financial services, government, healthcare, critical manufacturing and IT companies. Disappointingly, ransoms are increasingly being paid, CISA said. The group has demanded $145m to date in recorded attacks.

Threat actors use one of several tried-and-tested techniques to gain initial access: phishing campaigns, vulnerability exploitation, compromised credentials and remote desktop protocol (RDP) tools.

Once inside, the ransomware itself is distributed via a loader known as “Hancitor,” the report revealed.

However, since spring this year, the group has modified some of its tactics, techniques and procedures (TTPs).

It uses a dropper that writes a kernel driver to the file system called ApcHelper.sys, in order to terminate any security products running on victims’ machines. It also exploits CVE-2022-24521 to steal system tokens and elevate privileges, and CVE-2020-1472 to gain domain administrator privileges.

CISA also cited Palo Alto Networks research linking the Cuba ransomware variant to the custom RomCom RAT for command and control (C2), and the Industrial Spy ransomware, on whose marketplace the group has sold stolen data.

“According to third-party reporting, suspected Cuba ransomware actors compromised a foreign healthcare company. The threat actors deployed Industrial Spy ransomware, which shares distinct similarities in configuration to Cuba ransomware,” CISA said.

“Before deploying the ransomware, the actors moved laterally using Impacket and deployed the RomCom RAT and Meterpreter Reverse Shell HTTP/HTTPS proxy via a C2 server.”