[MART] - Daily Diary #571 - Cuba Ransomware and Tropical Scorpius Group

ctas-mat at appgate.com ctas-mat at appgate.com
Wed Aug 10 20:06:42 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

08/10/2022 - Diary entry #571:

First covered in our Daily Diary #405, Cuba Ransomware appeared in late 2019, being distributed via Hancitor, a Malware-as-a-Service. Later, the ransomware evolved and gained a wall-of-shame blog where they expose compromised organizations.

Operating in the double-extortion model – stealing data before encrypting and then threatening to publish if the ransom is not paid – Cuba Ransomware is one of the many “tools” used by the threat actors who created it, the Tropical Scorpius group.

The Tropical Scorpius APT group is constantly improving its toolkit to infect other organizations. From recent attacks, we know that Tropical Scorpius uses legitimate certificate (such as the ones leaked by LAPSUS$ group) to sign a kernel driver used for terminating security products processes. Besides that, the actors use a variety of tools to exploit known privilege escalation vulnerabilities, extract credentials and perform lateral movement in the infected network. Tropical Scorpius recent attacks also relies on ROMCOM RAT, a new malware that handles C2 communications via ICMP requests and is capable of deploying additional threats, like Cuba Ransomware.

Although Cuba Ransomware is not one of the most active ransomware groups nowadays, they are definitively dangerous. In 2021, Cuba Ransomware compromised 49 USA entities in five critical infrastructure sectors, receiving more than US $40 million in ransom payments.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220810/2c593023/attachment.htm>

More information about the MART mailing list