Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,493
- Points
- 113
Kaspersky Lab researchers presented an analysis of Cuba ransomware, looking at the grouping history and typical TTPs.
The group came to view in 2020, when it was still called Tropical Scorpius. Other names include ColdDraw, Fidel, and V Is Vendetta.
Cuba targets organizations in the United States, Canada, and Europe by launching a series of high-profile attacks on oil companies,financial services, government agencies,and healthcare providers. But there were also casualties in Canada, Europe, Asia and Australia.
Like most cybercriminals, the Cuban gang encrypts victims ' files, demanding a ransom in exchange for a decryption key, operating in RaaS format with the involvement of partners in exchange for a share of the ransom.
It is notable for its sophisticated tactics and methods of infiltrating victims ' networks, including exploiting software vulnerabilities and social engineering. Compromised RDPs are used for initial access.
The exact origin of the gang and the identity of its members are unknown, but there is some speculation among researchers that it may be a successor to Babuk.
The Cuba ransomware is a file with no additional libraries.* Samples often have a fake compilation timestamp: those found in 2020 were marked June 4, 2020, and later ones were marked June 19, 1992.
The group uses the classic double ransomware model, stealing and then encrypting data using the symmetric Xsalsa20 algorithm, and the encryption key using the asymmetric RSA-2048 algorithm.
The Cuba ransomware samples do not encrypt files with the following name extensions: exe, dll, sys, ini, lnk, vbm, and cuba, as well as a number of system folders.
To save time, the ransomware program encrypts documents, images, archives, and other Microsoft Office documents in the %AppData%\Microsoft\Windows\Recent \ directory. It also shuts down all SQL services to encrypt all available databases.* Searches for data both locally and within network shares.
In addition to encryption, the group steals confidential data that it discovers inside the victim's organization.*The type of data that hackers are looking for depends on the industry that the target company belongs to.
The group uses both well-known "classic" credential access tools and self-written applications: from software: Bughatch, Burntcigar, Cobeacon, Hancitor (Chanitor), Termite, SystemBC, Veeamp, Wedgecut, RomCOM RAT, from tools: Mimikatz, PowerShell, PsExec, Remote Desktop Protocol.
Software vulnerabilities are exploited, mostly known issues such as the combination of ProxyShell*and * ProxyLogon*to attack Exchange servers, as well as security holes in the Veeam data backup and recovery service.
Incoming and outgoing payments in bitcoin wallets, the ids of which hackers indicate in their ransom notes, in total exceed 3,600 BTC, or more than 103,000,000 US dollars.
In the report, resellers present the results of the investigation of one of the incidents with a focus on software analysis, including previously undocumented software, and TTPs groups, as well as share compromise indicators and Sigma and YARA rules.
The group came to view in 2020, when it was still called Tropical Scorpius. Other names include ColdDraw, Fidel, and V Is Vendetta.
Cuba targets organizations in the United States, Canada, and Europe by launching a series of high-profile attacks on oil companies,financial services, government agencies,and healthcare providers. But there were also casualties in Canada, Europe, Asia and Australia.
Like most cybercriminals, the Cuban gang encrypts victims ' files, demanding a ransom in exchange for a decryption key, operating in RaaS format with the involvement of partners in exchange for a share of the ransom.
It is notable for its sophisticated tactics and methods of infiltrating victims ' networks, including exploiting software vulnerabilities and social engineering. Compromised RDPs are used for initial access.
The exact origin of the gang and the identity of its members are unknown, but there is some speculation among researchers that it may be a successor to Babuk.
The Cuba ransomware is a file with no additional libraries.* Samples often have a fake compilation timestamp: those found in 2020 were marked June 4, 2020, and later ones were marked June 19, 1992.
The group uses the classic double ransomware model, stealing and then encrypting data using the symmetric Xsalsa20 algorithm, and the encryption key using the asymmetric RSA-2048 algorithm.
The Cuba ransomware samples do not encrypt files with the following name extensions: exe, dll, sys, ini, lnk, vbm, and cuba, as well as a number of system folders.
To save time, the ransomware program encrypts documents, images, archives, and other Microsoft Office documents in the %AppData%\Microsoft\Windows\Recent \ directory. It also shuts down all SQL services to encrypt all available databases.* Searches for data both locally and within network shares.
In addition to encryption, the group steals confidential data that it discovers inside the victim's organization.*The type of data that hackers are looking for depends on the industry that the target company belongs to.
The group uses both well-known "classic" credential access tools and self-written applications: from software: Bughatch, Burntcigar, Cobeacon, Hancitor (Chanitor), Termite, SystemBC, Veeamp, Wedgecut, RomCOM RAT, from tools: Mimikatz, PowerShell, PsExec, Remote Desktop Protocol.
Software vulnerabilities are exploited, mostly known issues such as the combination of ProxyShell*and * ProxyLogon*to attack Exchange servers, as well as security holes in the Veeam data backup and recovery service.
Incoming and outgoing payments in bitcoin wallets, the ids of which hackers indicate in their ransom notes, in total exceed 3,600 BTC, or more than 103,000,000 US dollars.
In the report, resellers present the results of the investigation of one of the incidents with a focus on software analysis, including previously undocumented software, and TTPs groups, as well as share compromise indicators and Sigma and YARA rules.
