{"id":117889,"date":"2021-04-06T10:00:47","date_gmt":"2021-04-06T17:00:47","guid":{"rendered":"\/blogs\/?p=117889"},"modified":"2025-03-31T19:52:37","modified_gmt":"2025-04-01T02:52:37","slug":"mcafee-atr-threat-report-a-quick-primer-on-cuba-ransomware","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-threat-report-a-quick-primer-on-cuba-ransomware\/","title":{"rendered":"McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware"},"content":{"rendered":"

Executive Summary<\/span>\u00a0<\/span><\/h2>\n

Cuba ransomware is an older ransomware<\/span>, that has recently undergone some development.\u00a0<\/span>The actors<\/span>\u00a0have incorporated the\u00a0<\/span>leak<\/span>ing<\/span>\u00a0<\/span>of victim\u00a0<\/span>data to increase\u00a0<\/span>its<\/span>\u00a0impact and revenue<\/span>, much like we have seen recently with<\/span>\u00a0other major ransomware campaigns.<\/span>\u00a0<\/span><\/p>\n

In our analysis, we observed that the attackers had access to the network before the infection and were able to collect specific information in order to orchestrate the attack and have the greatest impact. The attackers operate using a set of PowerShell scripts\u00a0<\/span>that enables them<\/span>\u00a0to move laterally. The ransom note mentions that the data was exfiltrated before\u00a0<\/span>it was<\/span>\u00a0encrypt<\/span>ed<\/span>. In similar attack<\/span>s<\/span>\u00a0we\u00a0<\/span>have\u00a0<\/span>observed the use of\u00a0<\/span>a\u00a0<\/span>Cobalt Strike payload<\/span>,<\/span>\u00a0although we\u00a0<\/span>have<\/span>\u00a0not\u00a0<\/span>found<\/span>\u00a0clear evidence<\/span>\u00a0of\u00a0<\/span>a<\/span>\u00a0relation<\/span>ship<\/span>\u00a0with Cuba\u00a0<\/span>r<\/span>ansomware.<\/span>\u00a0<\/span><\/p>\n

We observed Cuba ransomware targeting financial institutions, industry, technology\u00a0<\/span>and<\/span>\u00a0logistics organizations.\u00a0<\/span>\u00a0<\/span><\/p>\n

The following picture shows an overview of the\u00a0<\/span>countr<\/span>ies<\/span>\u00a0that have been impacted according to our telemetry.\u00a0<\/span>\u00a0<\/span><\/p>\n

Coverage and Protection Advice<\/span>\u00a0<\/span><\/h2>\n

Defenders should be on the lookout for traces and behaviours that correlate to\u00a0<\/span>open source<\/span>\u00a0pen test tools such as\u00a0<\/span>winPEAS<\/span>,\u00a0<\/span>Lazagne<\/span>, Bloodhound and Sharp Hound, or hacking frameworks like Cobalt Strike, Metasploit, Empire or Covenant, as well as abnormal\u00a0<\/span>behavior<\/span>\u00a0of non-malicious tools that have a dual use. These seemingly legitimate tools (e.g.,\u00a0<\/span>ADfind<\/span>,\u00a0<\/span>PSExec<\/span>, PowerShell, etc.) can be used for things like enumeration and execution. Subsequently, be on the lookout for abnormal usage of Windows Management Instrumentation WMIC (T1047). We advise everyone to check out the following blogs on evidence indicators for a targeted ransomware attack (<\/span>Part1<\/span><\/a>,\u00a0<\/span>Part2<\/span><\/a>).\u00a0<\/span>\u00a0<\/span><\/p>\n

Looking at other similar Ransomware-as-a-Service families we have seen that certain entry vectors are quite common among ransomware criminals:<\/span>\u00a0<\/span><\/p>\n