As of August 2022, the threat actors behind Cuba’s (aka COLDDRAW) ransomware have received over $60 million in ransom payments and compromised over 100 entities worldwide.
In a new advisory, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) noted “a sharp increase in both the number of compromised U.S. entities and ransom amounts.”
The ransomware crew, also known as Tropical Scorpius, has been observed targeting financial services, government facilities, healthcare, critical manufacturing, and IT sectors while expanding its tactics to gain initial access and interact with compromised networks.
It is important to note that despite the title “Cuba,” there is no evidence that the actors have any connection or affiliation with the island nation.
The attacks begin with the exploitation of known security vulnerabilities, phishing, compromised credentials, and legitimate remote desktop protocol (RDP) tools, followed by the distribution of ransomware through Hancitor (aka Chanitor).
Some of the flaws Cuba has incorporated into its arsenal are as follows:
- CVE-2022-24521 (CVSS score: 7.8) – A privilege escalation flaw exists in the Windows Common Log File System (CLFS) Driver.
- CVE-2020-1472 (CVSS score: 10.0) – A privilege elevation flaw in the Netlogon remote protocol (aka ZeroLogon)
“In addition to deploying ransomware, the actors have used ‘double extortion’ techniques,” according to CISA. “They exfiltrate victim data, (1) demand a ransom payment to decrypt it, and (2) threaten to publicly release it if a ransom payment is not made.”
Recent findings from BlackBerry and Palo Alto Networks Unit 42 suggest that Cuba has ties to the operators of RomCom RAT and another ransomware family known as Industrial Spy.
The RomCom RAT is disseminated via trojanized versions of legitimate software such as SolarWinds Network Performance Monitor, KeePass, PDF Reader Pro, Advanced IP Scanner, pdf filler, and Veeam Backup & Replication that are hosted on imposter websites that resemble the real thing.
The advisory from the CISA and FBI is the most recent in a series of alerts the agencies have issued regarding various ransomware strains, including MedusaLocker, Zeppelin, Vice Society, Daixin Team, and Hive.