[MART] - Daily Diary #405 - Cuba Ransomware Group Compromised 49 USA Entities

CTAS-MAT ctas-mat at appgate.com
Mon Dec 6 21:47:55 UTC 2021


I hope everyone is doing well!

Below is the entry for today.

12/06/2021 - Diary entry #405:

Cuba Ransomware, monitored by our team's RansomTracker, has compromised 49 USA entities in five critical infrastructure sectors as of early November 2021, said the FBI. The ransomware is delivered through Hancitor Malware-as-a-Service (RaaS), a loader known for dropping or executing stealers, such as RATs and other types of ransomware. Hancitor is distributed via phishing, Microsoft Exchange vulnerabilities, compromised credentials, and/or RDP brute-force attacks.

As soon as they breach a victim's network, the threat actors use legitimate Windows binaries, known as LOLBins (Living off the Land Binaries), such as PowerShell, PsExec, and others. The objective is to hide malicious activity since they are legitimate system tools. Next, they leverage Windows Admin privileges to deploy their ransomware and other processes remotely like CobaltStrike as a backdoor and Mimikatz to steal credentials.

Finally, Cuba ransomware compromises a victim's network by encrypting targeted files with the ".cuba" extension and dropping a ransom note to negotiate with them via email. Cuba ransomware actors have demanded at least US $74 million and received at least US $43.9 million in ransom payments.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20211206/e6761014/attachment.htm>

More information about the MART mailing list