Cuba Ransomware Extorted Over $60 Million in Ransom Fees from More than 100 Entities

Dec 02, 2022Ravie LakshmananData Security / Incident Response

The threat actors behind Cuba (aka COLDDRAW) ransomware have received more than $60 million in ransom payments and compromised over 100 entities across the world as of August 2022.

In a new advisory shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), the agencies highlighted a “sharp increase in both the number of compromised U.S. entities and the ransom amounts.”

The ransomware crew, also known as Tropical Scorpius, has been observed targeting financial services, government facilities, healthcare, critical manufacturing, and IT sectors, while simultaneously expanding its tactics to gain initial access and interact with breached networks.

It’s worth noting that despite the name “Cuba,” there is no evidence to suggest that the actors have any connection or affiliation with the island country.

The entry point for the attacks involves the exploitation of known security flaws, phishing, compromised credentials, and legitimate remote desktop protocol (RDP) tools, followed by distributing the ransomware via Hancitor (aka Chanitor).

Some of the flaws incorporated by Cuba into its toolset are as follows –

  • CVE-2022-24521 (CVSS score: 7.8) – An elevation of privilege vulnerability in Windows Common Log File System (CLFS) Driver
  • CVE-2020-1472 (CVSS score: 10.0) – An elevation of privilege vulnerability in Netlogon remote protocol (aka ZeroLogon)

“In addition to deploying ransomware, the actors have used ‘double extortion’ techniques, in which they exfiltrate victim data, and (1) demand a ransom payment to decrypt it and, (2) threaten to publicly release it if a ransom payment is not made,” CISA noted.

Cuba is also said to share links with the operators of RomCom RAT and another ransomware family called Industrial Spy, according to recent findings from BlackBerry and Palo Alto Networks Unit 42.

Read the full article here

Hosted by
News Room

Cybervizer is a blog and podcast site that focuses on the latest technology and cybersecurity topics that are impacting enterprises, both small and large. Join us to explore the most important trends in enterprise technology and cybersecurity today. Get true insights into the tech and trends that will impact you and your organization.

Sign Up for Our Morning Boot Cybersecurity Newsletter

Sponsored Ad

Cybervizer Recommended Book