FBI, CISA Issue Warning on Cuba Ransomware

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory Thursday on indicators of compromise associated with Cuba ransomware actors. The advisory is the latest in the government’s #StopRansomware campaign.

The advisory updates the December 2021 FBI Flash: Indicators of Compromise Associated with Cuba Ransomware. Since the release of the December 2021 FBI Flash, the number of U.S. entities compromised by Cuba ransomware has doubled, with the number of ransoms demanded and paid climbing rapidly.

“This year, Cuba ransomware actors have added to their TTPs, and third-party and open-source reports have identified a possible link between Cuba ransomware actors, RomCom Remote Access Trojan (RAT) actors, and Industrial Spy ransomware actors,” the advisory states. 

The advisory also points out that while this ransomware is known as “Cuba ransomware,” there is no indication Cuba ransomware actors have any connection or affiliation with the Republic of Cuba.

Technical Details

Cuba ransomware actors have leveraged the following techniques to gain initial access to dozens of entities in multiple critical infrastructure sectors:

  • Known vulnerabilities in commercial software
  • Phishing campaigns
  • Compromised credentials
  • Legitimate remote desktop protocol (RDP) tools

After gaining initial access, the actors distribute Cuba ransomware on compromised systems through Hancitor—a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims’ networks.

Since the spring of 2022, Cuba ransomware actors have modified their TTPs and tools to interact with compromised networks and extort payments from victims.

In addition to deploying ransomware, the threat actors have used “double extortion” techniques, whereby they exfiltrate data and demand a ransom payment to decrypt it, then threaten to expose the data if a ransom payment is not made.

According to the advisory, Cuba ransomware actors have leveraged the following tools and vulnerabilities:

  • Exploited CVE-2022-24521 in the Windows Common Log File System (CLFS) driver to steal system tokens and elevate privileges.
  • Used a PowerShell script to identify and target service accounts for their associated Active Directory Kerberos ticket.
  • Used a tool called KerberCache to extract cached Kerberos tickets from a host’s Local Security Authority Server Service (LSASS) memory.
  • Used a tool to exploit CVE-2020-1472 (also known as “ZeroLogon”) to gain Domain Administrative privileges. This tool and its intrusion attempts have reportedly been related to Hancitor and Qbot.

Predictive Ransomware Protection

Cybereason’s Predictive Ransomware Protection works to identify key indicators of behavior attributed to ransomware, quarantines it, and prevents it from being executed. Predictive Ransomware Protection is an AI-powered, enterprise anti-ransomware solution designed to detect the most subtle of adversary behaviors at the earliest stages of an attack and automatically end the operation before data exfiltration or disruptive encryption can occur. 

Using artificially intelligent endpoints, multilayer protection, and visibility from the kernel to the cloud, even the most sophisticated attackers can’t evade it. In the rare event that an attacker encrypts data, Cybereason’s rapid recovery feature can restore the targeted data to its original state and ensure organizations are up and running quickly with minimal downtime or impact.

Attackers use increasingly sophisticated attack techniques to infiltrate systems through various engines and products. Most successful attacks use fileless malware to infiltrate systems. 

Attackers use various modules, frameworks, and programs (Powershell engine, .Net, JScript, VBScript, and Office macros) to launch advanced, fileless attacks to take control of a module, framework, or program, often without using the relevant process. In many cases, fileless attacks never access the disk, meaning that these attacks can easily elude standard antivirus tools.

Cybereason NGAV, specifically Fileless Malware Prevention, examines the behavior of the Powershell engine, .Net, JScript, and VBScript to ensure that attackers cannot slip by organizations’ defenses by loading malicious code into memory.

Check out Cybereason’s online ebook, NGAV Redefined: 9 Layers of Unparalleled Attack Protection, to learn how Cybereason has dramatically redefined the latest NGAV prevention technologies to identify and stop threats, from the simplest to novel threats never seen before.

Want to see the Cybereason Defense Platform in action? Schedule a demo today.

Dan Verton
About the Author

Dan Verton

Dan Verton is Director of Content Marketing at Cybereason. Dan has 30 years of experience as a former intelligence officer and journalist. He is the 2003 first-place recipient of the Jesse H. Neal National Business Journalism Award for Best News Reporting – the nation’s highest award for tech trade journalism and is the author of the groundbreaking work, Black Ice: The Invisible Threat of Cyber-Terrorism (McGraw-Hill, 2003). He most recently served as an intelligence advisor and co-author of a nationwide TSA anti-terrorism awareness training program.

All Posts by Dan Verton