Researchers have unveiled research into the activities of the notorious Cuba ransomware group known as Cuba targeting organizations worldwide, spanning various industries.
The group has changed names several times since its inception. The following aliases it has used:
- Tropical Scorpius
Back in December 2022, researchers detected a suspicious incident on a client’s system. This initial discovery unearthed three mysterious files that led to the activation of the komar65 library, also referred to as BUGHATCH.
BUGHATCH, a sophisticated backdoor that operates in process memory, connecting to a C2 server to receive instructions. This malware can download software like Cobalt Strike Beacon and Metasploit, and its use of vulnerabilities in the Veeam backup software strongly suggests Cuba’s involvement.
The investigation also revealed the presence of Russian-speaking members within the group, indicated by references to the “komar” folder, which translates to “mosquito” in Russian. The group has further enhanced the malware’s capabilities with additional modules, including one responsible for collecting and sending system information to a server via HTTP POST requests.
Another malware attributed to Cuba known as BURNTCIGAR malware, incorporating encrypted data to avoid antivirus detection also identified.
Cuba, a single-file ransomware strain, operates without additional libraries, making it challenging to detect. Despite their prolonged presence in the cybersecurity spotlight, Cuba remains dynamic and constantly refines its techniques, including data encryption and tailored attacks to extract sensitive information.
Four extortion models exist today in terms of tools used for pressuring the victim.
- Single extortion: encrypting data and demanding a ransom just for decryption.
- Double extortion: besides encrypting, attackers steal sensitive information. They threaten to both withhold the encryption key and publish the stolen information online unless the victim pays up. This is the most popular model among ransomware gangs today.
- Triple extortion: adding a threat to expose the victim’s internal infrastructure to DDoS attacks.
- The fourth model is the least common one, as it implies maximum pressure and is thus more costly. It adds spreading news of the breach among the victim’s investors, shareholders, and customers.
Researchers emphasized the importance of staying informed and proactive against evolving cyber-threats and encouraged organizations to follow best practices to safeguard against ransomware.
This research was conducted and documented by researchers from Kaspersky
Indicators of Compromise