The report listed how the ransomware works, starting with a Hancitor malware for entry into vulnerable systems and using publicly available tools like CobaltStrike beacons and MimiKatz for dumping and running their ransomware tools.
Modus Operandi of Cuba Ransomware
Cuba ransomware is one of the few gangs that go under the security radar, as it makes very few hits every year which doesn’t seem impactful. But, we were wrong! As per the FBI’s recent notice, the Cuba gang is one of the most lucrative ransomware groups in its industry. As they were detailed, the Cuba ransomware group has made over $43.9 million from about 49 victims so far. This astonished the security researchers and firms, as their count of Cuba ransomware victims was much less than what the FBI reported. Also, the earnings of the Cuba gang are dwarfed by the sum they had asked for – $74 million from victims. They often target medium-sized businesses, and in five critical sectors like financial, government, healthcare, manufacturing, and information technology sectors, says FBI. And this operation starts by using Hancitor malware for the initial access. They distribute the Hancitor – a malware loader – through phishing campaigns, exploiting Microsoft Exchange vulnerabilities, compromised credentials, or through the legitimate Remote Desktop Protocol (RDP). Once in, they push stealers and other malware executables for further exploitation. FBI noted that the Cuba gang uses legitimate and public tools like PowerShell, PsExec, CobaltStrike beacons, MimiKatz, etc for gaining system admin privileges. They then use API within the compromised systems to make calls from a remote server, that dumps in their ransomware for locking the system. All infected files within the system will have a .cuba extension, for identification. And they recently started a leak site, similar to other ransomware groups for pressuring the victims into paying the ransom.