The US FBI said that the operators of the Cuba ransomware have earned at least $43.9 million from ransom payments following attacks carried out this year.
The Cuba gang has “compromised at least 49 entities in five critical infrastructure sectors, including but not limited to the financial, government, healthcare, manufacturing, and information technology sectors.”
The FBI said it traced attacks with the Cuba ransomware to systems infected with Hancitor, a malware operation that uses phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or RDP brute-forcing tools to gain access to vulnerable Windows systems.
Once systems are added to their botnet, Hancitor operators rent access to these systems to other criminal gangs in a classic Malware-as-a-Service model.ighlights what appears to be a new partnership between MaaS providers and ransomware gangs after other ransomware operations struck similar partnerships throughout 2020.
The report highlights what appears to be a new partnership between MaaS providers and ransomware gangs after other ransomware operations struck similar partnerships throughout 2020.
Cuba is also one of the ransomware groups that gather and steal sensitive files from compromised entities before encrypting their files. If not payed, the Cuba group will threaten to dump sensitive files on a website they have been operating on the dark web since January this year.
The FBI said that the $43.9 million figure represents actual victim payment and that the group demanded more than $74 million from victims, some of which refused to pay. The figure falls in the usual range of most ransomware revenues reported so far:
- Darkside – $90 million between October 2020 and May 2021.
- Maze/Egregor – $75 million
- Ryuk – $150 million
- REvil – $123 million in 2020
- Netwalker – $25 million between March and July 2020
- Conti – $25.5 million between July and November 2021
Indicators of Compromise