Chris Swagler | December 21st, 2021

Critical Infrastructure

According to the Federal Bureau of Investigation (FBI), the Cuba ransomware group attacked 49 companies in the critical infrastructure sector and received almost $44 million in ransom. The FBI issued a notice explaining that the group is targeting enterprises in the financial, government, healthcare, manufacturing, and information technology sectors by using Hancitor malware to gain access to Windows systems. Hancitor malware, a loader known for dropping or executing stealers, including Remote Access Trojans (RTs), and other ransomware onto victims’ networks, distributes the Cuba ransomware with a “.cuba” extension on encrypted files.

Hancitor malware operators can gain initial access to a victim’s network through phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools. Using legitimate Windows services, including PowerShell, PsExec, and other unspecified services, Cuba ransomware actors can leverage Windows Admin privileges to remotely execute their ransomware and other processes. The staggering ransom payments were dwarfed by the amount of money demanded by the group from victims, which the FBI estimated at $74 million.

Once the victim’s network is infected, the ransomware installs and executes a CobaltStrike beacon and downloads two executable files. The threat actors can obtain passwords and “write to the compromised system’s temporary (TMP) file” through the two files. Once the actors upload the TMP file, they delete the ‘krots.exe’ file and execute the TMP file in the compromised network. The TMP file contains Application Programming Interface (API) calls related to memory injection that automatically deletes from the system once executed. The compromised network begins to communicate with a malware repository located at the Montenegro-based Uniform Resource Locator (URL) once the TMP file is deleted.

Cuba ransomware actors also steal credentials using MimiKatz and log into the compromised network host with a specific user account using the Remote Desktop Protocol (RDP). The threat actors can communicate with the compromised user account using the CobaltStrike server once the RDP connection is completed. One initial PowerShell script function allocates memory space to run a base64-encoded payload. The payload is used to reach the remote command-and-control (C2) server, located at the malicious URL, and then deploys the next stage of files for the ransomware once it is loaded into memory.

The Cuba ransomware group has been operating a leak site since January to increase impact and revenue. Additionally, they recently began extorting victims with its leak site and threatening to release stolen data if they do not pay. The group usually targets companies in the United States, South America, and Europe and sometimes sells the stolen data to other groups. The actors had network access before the infection to collect specific information to conduct the attack and have the greatest impact. They use a set of PowerShell scripts to move laterally and exfiltrate files before encrypting them.

According to BleepingComputer, the Cuba ransomware group made headlines when they attacked the Automatic Funds Transfer Services, a payment processor, forcing multiple states to send out breach notification letters. The group stole financial documents involving bank employees, account movements, balance sheets, and tax documents, causing significant damage to the company’s services. One of the biggest concerns of multiple state governments was that they were using the company for various services, which allow access to peoples’ names, addresses, phone numbers, license plates numbers, VIN numbers, credit card information, paper checks, and other billing details.

Every day new ransomware groups are emerging with intentions of stealing sensitive information and extorting victims. It’s important for companies, especially those in the critical infrastructure sector, to stay current with the latest threat landscape and keep their network security posture updated to avoid potential threats like Cuba ransomware. At SpearTip, we defend critical infrastructure. We have designed solutions to address the increasing threat to companies involved in critical infrastructure and help avoid major disruptions that can impact thousands of people. Our ShadowSpear Platform is designed to integrate with even the most complex networks and work with IT and OT technology. Additionally, ShadowSpear ensures that monitored companies’ critical supplies and processes remain operational and avoid downtime to continuously provide services to the public.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.