The US government has issued an alert about the Cuba ransomware gang that gains profits.
The threat actors have hit more than 100 organizations worldwide, demanding over $145 million in payments and successfully extorting at least $60 million since August.
Researchers identified possible links between Cuba ransomware criminals and their RomCom remote access trojan and Industrial Spy ransomware counterparts.
Cuba gang continues to target critical infrastructure sectors that include financial services, government, healthcare and public health, critical manufacturing, and IT.
Cuba ransomware tend to use known bugs in commercial software, phishing emails, compromised credentials, and remote desktop protocol tools to gain initial access to their victims’ networks. Once in, they distribute ransomware on compromised systems via Hancitor, a loader that can drop or execute other software nasties, including RATs.
This includes exploiting CVE-2022-24521 in the Windows CLFS driver to steal system tokens and elevate privileges. They also exploit CVE-2020-1472, aka ZeroLogon, to gain domain administrative privileges.