In a flash alert, the Federal Bureau of Investigation (FBI), in coordination with DHS/CISA, identified that since early November 2021, Cuba ransomware had infiltrated around 49 entities; from the critical infrastructure sector such as financial, government, healthcare, manufacturing, and information technology in the country.
Per the flash alert, Cuba ransomware actors use “.cuba” extension for the encryption of the target files and infiltrate the network. The ransomware gang has supposedly demanded at least $74 million and received at least $43.9 million in ransom payments.
Cuba Ransomware Deployed by Hancitor
The Group-IB Threat Intelligence and Attribution team discovered that the threat actors actively use Hancitor to deploy Cuba ransomware. According to the team, Cuba ransomware has been active since at least January 2020. Its operators have a DLS site, where they post exfiltrated data from their victims who refused to pay the ransom. It added that the Hancitor downloader has been active since at least 2016 for dropping Pony and Vawtrak. As a loader, it has been used to download other malware families, such as Ficker stealer and NetSupport RAT, to compromised hosts. The Hancitor malware actors use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim’s network. Subsequently, Cuba ransomware actors use legitimate Windows services — such as PowerShell, PsExec, and other unspecified services — and then leverage Windows Admin privileges to execute their ransomware and other processes remotely.
The Technical View
The FBI explained the technical working of the malicious ransomware. It stated, “Cuba ransomware, upon compromise, installs and executes a CobaltStrike beacon as a service on the victim’s network via PowerShell. Once installed, the ransomware downloads two executable files, which include “pones.exe” for password acquisition and “krots.exe,” also known as KPOT, enabling the Cuba ransomware actors to write to the compromised system’s temporary (TMP) file. Once the TMP file is uploaded, the “krots.exe” file is deleted and the TMP file is executed in the compromised network. The TMP file includes Application Programming Interface (API) calls related to memory injection that, once executed, deletes itself from the system. Upon deletion of the TMP file, the compromised network begins communicating with a reported malware repository located at Montenegro-based Uniform Resource Locator (URL) teoresp.com.”
Following mitigations have been suggested to ease the risk of compromise by Cuba ransomware:
- Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.
- Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
- Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
- Remove unnecessary access to administrative shares, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity.
- Use a host-based firewall to only allow connections to administrative shares via server message block (SMB) from a limited set of administrator machines.
- Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between — and access to — various subnetworks and by restricting adversary lateral movement.
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
- Implement time-based access for accounts set at the admin level and higher. This is a process where a network-wide policy is set in place to automatically disable admin accounts at the AD level when the account is not in direct need. When the account is needed, individual users submit their requests through an automated process that enables access to a system, but only for a set timeframe to support task completion.
- Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities that run from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
- Maintain offline backups of data, and regularly maintain backup and restoration. This practice will ensure the organization will not be severely interrupted, have irretrievable data.
- Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
As the festive season witnesses a significant spike in premediated cybercrimes, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI remind all organizations – big or small – and critical infrastructure partners that malicious actor groups are proactively launching premeditated cyberattacks.
The authorities had issued advisories for organizations, especially critical infrastructure and services, to assess the current security posture and implement best practices and mitigations to attenuate the threat posed by cyberattacks.
Despite the alerts, we continue to see a rise in the number of ransomware attack victims. Many organizations give in to these demands to safeguard their reputation, critical information, data, and financial status.
Satya Gupta, Cofounder and CTO, Virsec, opined, “Critical infrastructure will remain a highly lucrative target. There is a subtle but massive change in attacker tactics that is taking place and we are at risk of being totally blindsided. Attackers are increasingly burrowing their attacks deep in the software runtime by exploiting vulnerabilities. Being deeper in the software’s runtime helps attackers evade early discovery as evidenced by this group’s method.”
“While many vulnerability disclosures are accompanied by a software patch, the most sophisticated attackers often leverage undisclosed vulnerabilities. In a recent interview, CISA Director Jen Easterly remarked that more than ‘90 percent of vulnerabilities exploited by ransomware have patches associated with them.’ What is left unsaid is that 10% attacks are vulnerabilities for which patches are not available. Irrespective, patching is not a successful security strategy. This is because even if a patch were available, many entities will drag their heels in deploying the patch.”
Government authorities have also prioritized ransomware attacks and are pressurizing ransomware groups to cease operations to address the growing menace.
Organizations need to be on a constant alert and review their security posture at a micro-level as threat actors are actively scouting for the smallest vulnerability and launching their vicious attack.
Gupta expressed, “The only way organizations can truly protect themselves is by deploying runtime security controls that take away the attacker’s ability to successfully exploit vulnerabilities. These controls will stop attackers, in milliseconds, from successfully exploiting vulnerabilities. This type of protection is not only possible, but mandatory if we want to prevent further successful ransomware attacks.”