CISA and FBI Say Cuba Ransomware’s Lifetime Earnings Crossed $60M in 2022
The number of U.S. entities compromised by Cuba ransomware has doubled since December 2021 with ransoms demanded and paid on the increase.
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory warning against continued attacks by the Cuba ransomware gang. The federal agencies said that the threat actors behind the group had compromised over 100 organizations as of August 2022.
According to the updated advisory, the Cuba ransomware gang has extorted its way into earning proceeds amounting to more than $60 million (up from $43 million in December 2021) of the $145 million demanded from the 100+ organizations it successfully targeted. That puts the average ransom earned from each victim at $600,000.
“Since the release of the December 2021 FBI Flash, the number of U.S. entities compromised by Cuba ransomware has doubled, with ransoms demanded and paid on the increase,” the FBI-CISA joint advisory reads.
The Cuba ransomware gang typically leverages known vulnerabilities in commercial software to infiltrate systems and gain access. It also relies on phishing campaigns, compromised credentials, and legitimate remote desktop protocol (RDP) tools to distribute the Hancitor loader, which drops stealers and executes Remote Access Trojans (RATs).
CISA said the threat actors had expanded their tactics, techniques, and procedures (TTPs) in spring 2022. “This year, Cuba ransomware actors have added to their TTPs, and third-party and open-source reports have identified a possible link between Cuba ransomware actors, RomCom Remote Access Trojan (RAT) actors, and Industrial Spy ransomware actors.”
RomCom RAT serves as a command and control (C2) server in the group’s operations, including the exploitation of CVE-2022-24521 (an elevation of privilege vulnerability in the Windows Common Log File System driver, CVSS: 7.8) and CVE-2020-1472, (also an elevation of privilege bug in Netlogon Remote Protocol, CVSS: 10).
Notably, Cuba ransomware evades detection by terminating security processes through ApcHelper.sys, a kernel driver signed using a certificate the threat actors found in the NVIDIA leak by the LAPSUS$ extortion group.
Cuba Ransomware Kernel Driver Using Stolen Digital Signature | Source: Palo Alto Networks Unit 42
See More: Hacker Gang DEV-0569 Found Using Google Ads To Push Ransomware Payloads
While the Cuba ransomware syndicate was previously known to sell stolen data on its leak site, the group is now leveraging Industrial Spy’s online market to trade stolen data.
The Cuba ransomware gang has previously targeted five critical infrastructure sectors, including financial services, government facilities, healthcare and public health, critical manufacturing, and information technology. CISA noted RomCom was used to target foreign military organizations, IT companies, food brokers and manufacturers.
In 2022, the Cuba ransomware gang was linked to Russia. It targeted electricity, water systems and transportation in Montenegro (August), and Ukrainian governmental and critical infrastructure in October.
“Tropical Scorpius remains an active threat,” Palo Alto Networks’ Unit 42, which tracks Cuba ransomware as Tropical Scorpius, said. “The group’s activity makes it clear that an approach to tradecraft using a hybrid of more nuanced tools focusing on low-level Windows internals for defense evasion and local privilege escalation can be highly effective during an intrusion.”
“Coupled with a splash of well-adopted and successful crimeware techniques, this presents unique challenges to defenders.”
Unit 42 advises organizations to apply respective security updates to patch known vulnerabilities. The company also recommended implementing a Security Information and Event Management tool (SIEM) fed by advanced logging capabilities, such as Sysmon, Windows Command Line logging and PowerShell logging.
Training for phishing identification can go a long way in thwarting Cuba ransomware attacks.
For technical details of Cuba ransomware and relevant TTPs, refer to Unit 42’s write-up.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
MORE ON RANSOMWARE
