Cuba Ransomware Gang Takes $44m in Pay-outs!

Cuba Ransomware Gang Takes $44m in Pay-outs!

The “Cuba” ransomware gang has infiltrated at least 49 bodies in 5 critical sectors in the US as of Nov., the FBI has warned.

The gang is using a various tools & malware to conduct attacks in volume on critical sectors, the FBI cautioned.

In a flash alert, they attributed a spate of attacks on US entities in the financial, govt., healthcare, manufacturing & IT sectors to the group. Collectively, the hits resulted in the extortion of $44m in ransom payments. That’s a just over half of the $74m that the Cuba gang actually demanded from the attacks, suggesting that companies are split on whether to pay.

Specific Victims

The FBI didn’t name victims, but in Nov. the bureau also warned that the group is targeting tribal casinos throughout the US.

The FBI noted that the Cuba ransomware is distributed using a 1st-stage implant that acts as a loader for follow-on payloads: the Hancitor malware, which has existed for at least 5 years.

Hancitor users gain their initial access to target computers using phishing emails, exploitation of Microsoft Exchange vulnerabilities, compromised credentials or legitimate Remote Desktop Protocol (RDP) tools, reveals the FBI’s alert.

Pen-Testing Tool

After Hancitor is present, Cuba ransomware players also use legitimate Windows services – such as PowerShell, PsExec & Cobalt Strike, the legitimate pen-testing tool that cyber-crooks have turned to en masse to aid in lateral movement. The tool uses ‘beacons’ to effectively identify exploitable vulnerabilities inside a targeted environment.

“A Cobalt Strike beacon is installed as a service on the victim’s network via PowerShell,” explains the FBI’s analysis.

“Once installed, the ransomware downloads 2 executable files, which include ‘pones.exe’ for password acquisition and ‘krots.exe,’ also known as KPOT, enabling the Cuba ransomware actors to write to the compromised system’s temporary (TMP) file.”


Once the TMP file is uploaded, KPOT is deleted & the TMP file is executed in the compromised network – a trick meant to cover the ransomware’s tracks.

“The TMP file includes API calls related to memory injection that, once executed, deletes itself from the system,” the alert read. “Upon deletion of the TMP file, the compromised network begins communicating with a reported malware repository located at Montenegro-based domain,”

The Cuba criminals also use MimiKatz malware to steal credentials from victims, & then use remote desktop protocol (RDP) to log into the compromised network host with a specific user account, the FBI stated.

Cobalt Strike Server

“Once an RDP connection is complete, the Cuba ransomware actors use the Cobalt Strike server to communicate with the compromised user account,” explains their analysis.

“One of the initial PowerShell script functions allocates memory space to run a base64-encoded payload. Once this payload is loaded into memory, it can be used to reach the remote command-&-control (C2) server [kurvalarva[dot]com], & then deploy the next stage of files for the ransomware.”

Target files are encrypted with the “.cuba” extension, giving the ransomware its name.

Holiday Season

The analysis comes after a joint FBI/CISA warning for organisations to be extra-vigilant during the holiday season, when many offices close for days & IT staff may have taken their eyes off the ball.

“Although neither CISA nor the FBI currently have identified any specific threats, recent 2021 trends show malicious cyber-actors launching serious & impactful ransomware attacks during holidays & weekends, including the US Independence Day & Mother’s Day weekends,” according to the warning.

Constantly Evolving

“Ransomware threats are constantly evolving,” Mieng Lim, VP of product management at Digital Defense by Help Systems, outlined.

“From the commoditisation of ransomware through the recent availability of as-a-service tools, to increasingly sophisticated attack strategies, it is a threat landscape that demands constant monitoring & education from organisations & govts. alike.”

Best Practices

Organisations can take steps to protect themselves by implementing well-known best practices, such as user awareness training on spotting phishing emails, timely patching, email security solutions, regular penetration testing & vulnerability scanning, network segregation, data encryption, remote backups, & having a robust & tested incident-response playbook, Lim added.

“Unfortunately, we live in an era where preventing 100^ of cyber-risks is no longer possible, but constant vigilance, ongoing cyber-threat education, & a well-planned threat detection & response strategy will go a long way towards keeping your organisation’s most sensitive data safe,” Lim concluded.