FBI: Cuba ransomware group hit 49 critical infrastructure organizations

FBI released a new alert regarding Cuba ransomware, which warned that the gang had targeted “49 companies in five vital infrastructure sectors” and demanded at least $43.9 million in ransom.

What is the story?

According to a FBI notice sent out on Friday, the group targets businesses in the financial, government, healthcare, manufacturing, and information technology sectors by using malware called Hancitor to gain entry to Windows systems.

According to the notice, the “.cuba” extension indicates that the infection was spread via the Hancitor malware, a loader that delivers stealers, such as Remote Access Trojans (RATs) and other ransomware, onto victims’ networks.

To obtain initial access to a victim’s network, Hancitor malware actors employ phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools. Then, using legal Windows services like PowerShell, PsExec, and other unidentified services, Cuba ransomware actors exploit Windows Admin rights to remotely execute their malware and other programmes.”

The astronomical ransom payments paled in comparison to the $74 million requested by the organisation from victims, according to the FBI.

When a victim’s computer is infected, the ransomware downloads and instals a CobaltStrike beacon, as well as two executable files. Attackers can use the two files to get passwords and “write to the compromised system’s temporary (TMP) file.”

In the compromised network, the TMP file is executed and the ‘krots.exe’ file is deleted. TMP files contain API calls related to memory injection that, once executed, delete themselves from the system. In the event the TMP file is deleted, the compromised network will begin communicating with Montenegro’s teoresp.com, which contains a malware repository, according to the FBI.

The recommendations

Furthermore, the Cuba ransomware authors employ the MimiKatz malware to capture credentials before logging into the infected network host with a specific user account through RDP. The Cuba ransomware actors use the CobaltStrike server to interact with the compromised user account once an RDP connection has been established. One of the first PowerShell script functions sets aside memory for a base64-encoded payload to run. Once loaded into memory, this payload can be used to connect to a remote command-and-control (C2) server and then spread the ransomware’s next stage of files. The malicious URL kurvalarva.com hosts the remote C2 server.”

Other assault details were supplied by the FBI, as well as a sample ransom note and email sent by the attackers.

Given their degree of activity in comparison to other more well-known ransomware gangs, analysts were astonished by the amount of money the group made.

The research, according to Emsisoft threat analyst Brett Callow, demonstrated how lucrative the ransomware market is, despite the fact that the Cuba ransomware organisation is not among their top 10 in terms of activity.

There were 105 Cuba ransomware submissions this year, compared to 653 for the Conti ransomware group, according to his statistics.

This clearly demonstrates how lucrative ransomware can be. Cuba is a little player, and if they made $49 million, other companies would have made far more,” Callow told ZDNet. “Of course, this is why ransomware is such a difficult issue to solve. People deem the risks worthy because of the tremendous profits.”

The gang has been operating a leak site since January, becoming one of many ransomware outfits that threaten to reveal stolen data if victims do not pay the ransom.

In April, the McAfee Advanced Threat Research Team published a lengthy study on the group, citing many of the same findings as the FBI. Researchers from McAfee also discovered that, despite the fact that the group has been around for a long time, it only recently begun using its leak site to extort people.

Typically, the group targets businesses in the United States, South America, and Europe. According to McAfee, the gang has sold stolen data in the past.

“Cuba ransomware is a more recent malware that has been operating for some years. To boost its damage and revenue, the perpetrators recently shifted to leaking the stolen data, similar to what we’ve seen previously with other significant ransomware operations “According to the McAfee analysis.

According to our findings, the attackers had access to the network prior to the infection and were able to gather precise data in order to coordinate the attack and maximise its damage. The attackers use a series of PowerShell scripts that allow them to navigate about the network. The data was exfiltrated before being encrypted, according to the ransom message.”

When the organisation hacked payment processor Automatic Funds Transfer Services in February, it caused various US jurisdictions to issue breach notification letters. The theft of “financial data, correspondence with bank staff, account movements, balance sheets, and tax paperwork” was first reported by Bleeping Computer. For weeks, the tragedy also wreaked havoc for the company’s services.

In an article provided by Bleeping Computer, several states expressed concern over the company’s ability to access personal information such as names, addresses, phone numbers, license plate numbers, VIN numbers, credit card numbers, paper checks, and other billing details. A breach notification letter was sent to California and other communities in Washington.

According to Allan Liska of Recorded Future, a ransomware expert, the FBI research also revealed the ransomware landscape’s observability problem.

At least 49 victims were listed on the Cuba extortion site, but the FBI knew about about half of them, Liska explained.

Although there were a limited number of victims, FBI estimates that the criminals made $43.9 million, which indicates that ransomware is a lucrative business for them.” Their primary targets were small and medium-sized businesses.