As of August 2022, the cybercriminals behind the Cuba (also known as COLDDRAW) ransomware had collected over $60 million in extortion payments from over 100 victims around the world.
The Federal Bureau of Investigation and the United States Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint alert in which they note a “sharp spike in both the number of compromised U.S. companies and the ransom amounts.”
The ransomware group known as Tropical Scorpius has been detected increasing its strategies to acquire initial access and interact with infiltrated networks, while simultaneously targeting financial services, government facilities, healthcare, vital industrial, and IT.
It should be noted that there is no proof that the actors have any link or affiliation with the island nation of Cuba, despite the title.
Hancitor is used for ransomware distribution once attackers gain access through a variety of methods, including but not limited to: phishing, compromised credentials, and legitimate remote desktop protocol (RDP) applications (aka Chanitor).
Cuba has included a number of shortcomings into its arsenal, including the following:
- CVE-2022-24521 (CVSS score: 7.8) – An elevation of privilege vulnerability in Windows Common Log File System (CLFS) Driver
- CVE-2020-1472 (CVSS score: 10.0) – An elevation of privilege vulnerability in Netlogon remote protocol (aka ZeroLogon)
It was noted by CISA that the attackers “have deployed ‘double extortion’ techniques, in which they exfiltrate victim data, (1) demand a ransom payment to decrypt it, and (2) threaten to publicly disseminate it if a ransom payment is not made.”
Recent research by BlackBerry and Palo Alto Networks Unit 42 suggests that the criminals behind the RomCom RAT and another ransomware family known as Industrial Spy share connections with those in Cuba.
Trojanized versions of legitimate software, such as SolarWinds Network Performance Monitor, KeePass, PDF Reader Pro, Advanced IP Scanner, pdfFiller, and Veeam Backup & Replication, are used to spread the RomCom RAT.
The CISA and FBI caution is the latest in a string of warnings concerning various types of ransomware. Previous notifications have covered MedusaLocker, Zeppelin, Vice Society, Daixin Team, and Hive.