Chris Swagler | December 8th, 2022

According to a security warning issued by CISA and the FBI, businesses should be aware of the prolific Cuba ransomware group that has targeted over 100 global companies and demanded more than $60 million in ransom payments. The advisory states that Cuba ransomware attacks targeted critical infrastructure, financial services, healthcare, information technology, government services, and other areas.

Despite the moniker, the ransomware group has no connection to the country of Cuba. The ransomware group engages in double extortion attacks not only encrypting data and demanding ransoms but threatening to release data stolen from victims who don’t pay ransoms in Bitcoin. The new alert was issued due to the increase in ransomware attacks from the Cuba ransomware group which expanded its tactics, techniques, and procedures (TTPs) making the attacks more difficult to detect and was linked to the RomCom Remote Access Trojan (RAT) and Industrial Spy ransomware.

Cuba ransomware group use methods including, exploiting a vulnerability in Windows Common Log File System (CLFS) driver (CVE-2022-24521) stealing system tokens and using a PowerShell script to identify service accounts gaining greater access to high-level system controls. Additionally, Cuba ransomware has been exploiting a vulnerability, Zerologon, in Microsoft Windows authentication protocol Netlogon (CVE-2020-1472) to acquire domain administrative privileges. Cuba ransomware group utilizes known vulnerabilities in commercial software, phishing campaigns, using stolen usernames and passwords, and exploiting legitimate remote desktop protocol (RDP) applications to obtain initial access to victims. After acquiring access, cybercriminals install Hancitor, a malware payload allowing them to regain access to and carry out actions on compromised networks and eventually used it to execute the ransomware payload. The FBI and CISA gave numerous cybersecurity mitigation recommendations to network defenders to prevent threat operators from using conventional tactics to infiltrate networks and deploy ransomware.

The recommendations include updating all operating systems, software, and firmware with the latest security updates, especially if cybercriminals are actively targeting vulnerabilities including CVE-2022-24521 and CVE-2020-1472. One of the most efficient and cost-effective strategies companies can implement to minimize exposure to cybersecurity threats is timely patching. Requiring all accounts to be secured with strong, unique passwords and requiring multi-factor authentication for all accounts, especially for cloud services, are other recommendations to prevent cybercriminals from breaching accounts. Companies should have procedures in place to identify, detect, and investigate abnormal network activity, which can indicate that networks have been infiltrated and ransomware attacks are imminent, and actions need to be taken to prevent them.

Companies need to have a recovery plan in place to ensure that numerous copies of important systems and servers are in place, updated, and stored offline in case ransomware attacks are successful, and networks can be restored without paying a ransom. Companies should follow these recommendations because there’s no guarantee that paying ransoms will restore networks and giving in to extortion demands will empower cybercriminals to return with further attacks and ransom demands.

The FBI and CISA urge companies not to pay ransoms because it doesn’t guarantee that victims’ files will be recovered. Additionally, payments will inspire cybercriminals to target more companies, encourages other threat actors to distribute ransomware, and/or support unlawful activities. Ransomware attack victims are urged to report incidents, companies need to always remain alert of the current threat landscape and follow the recommendations mentioned above to prevent future cyberattacks. At SpearTip, our certified engineers working 24/7/365 at our Security Operations Center continuously monitor companies’ data networks for potential ransomware threats like the Cuba ransomware and are ready to respond to incidents at a moment’s notice. Our remediation team restores companies’ operations by isolating malware to reclaim their networks and recover business-critical assets. ShadowSpear platform, our integrable managed detection and response tool, utilizes comprehensive insights through unparalleled data normalization and visualization to detect sophisticated and advanced ransomware threats.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.