HQ/EMEAFind out how we can help your business
CISA and the FBI released an advisory regarding the Cuba ransomware gang’s overall profit from its cybercriminal campaigns, gathering more than $60 million worth of ransomware from over 100 victims worldwide.
This advisory is an update to another announcement published last year, which warned everyone regarding the increasing activity of the Cuba ransomware. Last year, the group compromised more than a dozen of organisations from the United States, from which they profited about $40 million.
Furthermore, the ransomware group’s targeting of US entities doubled after both agencies warned of their activity last December 2021. The ransom demand of the actors has also increased, resulting in higher payments from their victims.
The United States is the most focused country of the Cuba ransomware group.
Cuba ransomware’s most targeted United States infrastructures are government facilities, healthcare institutions, public health, manufacturing firms, information technology, and financial services.
The federal law enforcement agency has also estimated that the ransomware operators have compromised more than 100 entities globally until August this year. These attacks could have reached at least $60 million in ransom payments after the ransomware group demanded approximately $145 million.
Both agencies emphasised that the ransomware group has upgraded its TTPs since the beginning of 2022 and has been affiliated with RomCom RAT and Industrial Spy ransomware.
Fortunately, some researchers said that the Cuba ransomware group had had less activity since the start of the last quarter of the year. This detail implies that even an inactive ransomware group could still affect its victims.
The researchers know that the Cuba ransomware payloads are being disseminated via Hancitor, enabling its operators to access previously infected networks easily.
The Hancitor malware downloader is notorious for launching info stealers, RATs, and other ransomware strains on infected systems. The actors distribute the malware to targeted systems through phishing emails, MS Exchange vulnerabilities, stolen credentials, and RDP kits.
Finally, once the ransomware group has established persistence on an infected device within their target’s networks, it could utilise legitimate Windows services to launch payloads remotely and encrypt files by appending the [.]cuba extension.
