{"id":119710,"date":"2021-04-06T10:00:03","date_gmt":"2021-04-06T17:00:03","guid":{"rendered":"\/blogs\/?p=119710"},"modified":"2024-06-25T02:21:33","modified_gmt":"2024-06-25T09:21:33","slug":"mcafee-defenders-blog-cuba-ransomware-campaign","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/","title":{"rendered":"McAfee Defender\u2019s Blog: Cuba Ransomware Campaign"},"content":{"rendered":"

Cuba Ransomware Overview<\/h2>\n

Over the past year, we have seen ransomware attackers change the way they have responded to organizations that have either chosen to not pay the ransom or have recovered their data via some other means. At the end of the day, fighting ransomware has resulted in the bad actors\u2019 loss of revenue. Being the creative bunch they are, they have resorted to data dissemination if the ransom is not paid. This means that significant exposure could still exist for your organization, even if you were able to recover from the attack.<\/p>\n

Cuba ransomware, no newcomer to the game, has recently introduced this behavior.<\/p>\n

This blog is focused on how to build an adaptable security architecture to increase your resilience against these types of attacks and specifically, how McAfee\u2019s portfolio delivers the capability to prevent, detect and respond against the tactics and techniques used in the Cuba Ransomware Campaign.<\/p>\n

Gathering Intelligence on Cuba Ransomware<\/h2>\n

As always, building adaptable defensive architecture starts with intelligence. In most organizations, the Security Operations team is responsible for threat intelligence analysis, as well as threat and incident response. McAfee Insights (https:\/\/www.mcafee.com\/enterprise\/en-us\/lp\/insights-dashboard1.html#<\/a>) is a great tool for the threat intel analyst and threat responder. The Insights Dashboard identifies prevalence and severity of emerging threats across the globe which enables the Security Operations Center (SOC) to prioritize threat response actions and gather relevant cyber threat intelligence (CTI) associated with the threat, in this case the Cuba ransomware campaign. The CTI is provided in the form of technical indicators of compromise (IOCs) as well as MITRE ATT&CK framework tactics and techniques. As a threat intel analyst or responder you can drill down to gather more specific information on Cuba ransomware, such as prevalence and links to other sources of information. You can further drill down to gather more specific actionable intelligence such as indicators of compromise and tactics\/techniques aligned to the MITRE ATT&CK framework.<\/p>\n

From the McAfee Advanced Threat Research (ATR) blog<\/a>, you can see that Cuba ransomware leverages tactics and techniques common to other APT campaigns. Currently, the Initial Access vector is not known. It could very well be spear phishing, exploited system tools and signed binaries, or a multitude of other popular methods.<\/p>\n

Defensive Architecture Overview<\/h2>\n

Today\u2019s digital enterprise is a hybrid environment of on-premise systems and cloud services with multiple entry points for attacks like Cuba ransomware. The work from home operating model forced by COVID-19 has only expanded the attack surface and increased risk for successful spear phishing attacks if organizations did not adapt their security posture and increase training for remote workers. Mitigating the risk of attacks like Cuba ransomware requires a security architecture with the right controls at the device, on the network and in security operations (SecOps). The Center for Internet Security (CIS) Top 20 Cyber Security Controls<\/a> provides a good guide to build that architecture. As indicated earlier, the exact entry vector used by Cuba ransomware is currently unknown, so what follows, here, are more generalized recommendations for protecting your enterprise.<\/p>\n

Initial Access Stage Defensive Overview<\/h2>\n

According to Threat Intelligence and Research, the initial access for Cuba ransomware is not currently known. As attackers can leverage many popular techniques for initial access, it is best to validate efficacy on all layers of defenses. This includes user awareness training and response procedures, intelligence and behavior-based malware defenses on email systems, web proxy and endpoint systems, and finally SecOps playbooks for early detection and response against suspicious email attachments or other phishing techniques. The following chart summarizes the controls expected to have the most effect against initial stage techniques and the McAfee solutions to implement those controls where applicable.<\/p>\n\n\n\n\n\n\n
MITRE Tactic<\/strong><\/td>\nMITRE Techniques<\/strong><\/td>\nCSC Controls<\/strong><\/td>\nMcAfee Capability<\/strong><\/td>\n<\/tr>\n
Initial Access<\/td>\nSpear Phishing Attachments (T1566.001)<\/td>\nCSC 7<\/strong> \u2013 Email and Web Browser Protection<\/p>\n

CSC 8<\/strong> \u2013 Malware Defenses<\/p>\n

CSC 17<\/strong> \u2013 User Awareness<\/td>\n

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection,<\/p>\n

Web Gateway (MWG), Advanced Threat Defense, Web Gateway Cloud Service (WGCS)<\/td>\n<\/tr>\n

Initial Access<\/td>\nSpear Phishing Link (T1566.002)<\/td>\nCSC 7<\/strong> \u2013 Email and Web Browser Protection<\/p>\n

CSC 8<\/strong> \u2013 Malware Defenses<\/p>\n

CSC 17<\/strong> \u2013 User Awareness<\/td>\n

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection,<\/p>\n

Web Gateway (MWG), Advanced Threat Defense, Web Gateway Cloud Service (WGCS)<\/td>\n<\/tr>\n

Initial Access<\/td>\nSpear Phishing (T1566.003) Service<\/td>\nCSC 7<\/strong> \u2013 Email and Web Browser Protection<\/p>\n

CSC 8<\/strong> \u2013 Malware Defenses<\/p>\n

CSC 17<\/strong> \u2013 User Awareness<\/td>\n

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection,<\/p>\n

Web Gateway (MWG), Advanced Threat Defense, Web Gateway Cloud Service (WGCS)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

For additional information on how McAfee can protect against suspicious email attachments, review this additional blog post: https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-protects-against-suspicious-email-attachments\/<\/a><\/p>\n

Exploitation Stage Defensive Overview<\/h2>\n

The exploitation stage is where the attacker gains access to the target system. Protection against Cuba ransomware at this stage is heavily dependent on adaptable anti-malware on both end user devices and servers, restriction of application execution, and security operations tools like endpoint detection and response sensors.<\/p>\n

McAfee Endpoint Security 10.7 provides a defense in depth capability, including signatures and threat intelligence, to cover known bad indicators or programs, as well as machine-learning and behavior-based protection to reduce the attack surface against Cuba ransomware and detect new exploitation attack techniques. If the initial entry vector is a weaponized Word document with links to external template files on a remote server, for example, McAfee Threat Prevention and Adaptive Threat Protection modules protect against these techniques.<\/p>\n

The following chart summarizes the critical security controls expected to have the most effect against exploitation stage techniques and the McAfee solutions to implement those controls where applicable.<\/p>\n\n\n\n\n\n\n\n\n\n\n
MITRE Tactic<\/strong><\/td>\nMITRE Techniques<\/strong><\/td>\nCSC Controls<\/strong><\/td>\nMcAfee Portfolio Mitigation<\/strong><\/td>\n<\/tr>\n
Execution<\/td>\nUser Execution (T1204)<\/td>\nCSC 5 <\/strong>Secure Configuration<\/p>\n

CSC 8 <\/strong>Malware Defenses<\/p>\n

CSC 17<\/strong> Security Awareness<\/td>\n

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, Application Control (MAC), Web Gateway and Network Security Platform<\/td>\n<\/tr>\n
Execution<\/td>\nCommand and Scripting Interpreter (T1059)<\/p>\n

 <\/td>\n

CSC 5 <\/strong>Secure Configuration<\/p>\n

CSC 8 <\/strong>Malware Defenses<\/td>\n

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, Application Control (MAC), MVISION EDR<\/td>\n<\/tr>\n
Execution<\/td>\nShared Modules (T1129)<\/td>\nCSC 5 <\/strong>Secure Configuration<\/p>\n

CSC 8 <\/strong>Malware Defenses<\/td>\n

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, Application Control (MAC)<\/td>\n<\/tr>\n
Persistence<\/td>\nBoot or Autologon Execution (T1547)<\/td>\nCSC 5 <\/strong>Secure Configuration<\/p>\n

CSC 8 <\/strong>Malware Defenses<\/td>\n

Endpoint Security Platform 10.7 Threat Prevention, MVISION EDR<\/td>\n<\/tr>\n
Defensive Evasion<\/td>\nTemplate Injection (T1221)<\/td>\nCSC 5 <\/strong>Secure Configuration<\/p>\n

CSC 8 <\/strong>Malware Defenses<\/td>\n

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, MVISION EDR<\/td>\n<\/tr>\n
Defensive Evasion<\/td>\nSigned Binary Proxy Execution (T1218)<\/td>\nCSC 4 <\/strong>Control Admin Privileges<\/p>\n

CSC 5 <\/strong>Secure Configuration<\/p>\n

CSC 8 <\/strong>Malware Defenses<\/td>\n

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, Application Control, MVISION EDR<\/td>\n<\/tr>\n
Defensive Evasion<\/td>\nDeobfuscate\/Decode Files or Information (T1027)<\/p>\n

 <\/td>\n

CSC 5 <\/strong>Secure Configuration<\/p>\n

CSC 8 <\/strong>Malware Defenses<\/td>\n

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, MVISION EDR<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

For more information on how McAfee Endpoint Security 10.7 can prevent some of the techniques used in the Cuba ransomware exploit stage, review this additional blog post: https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-amsi-integration-protects-against-malicious-scripts\/<\/a><\/p>\n

Impact Stage Defensive Overview<\/h2>\n

The impact stage is where the attacker encrypts the target system, data and perhaps moves laterally to other systems on the network. Protection at this stage is heavily dependent on adaptable anti-malware on both end user devices and servers, network controls and security operation\u2019s capability to monitor logs for anomalies in privileged access or network traffic. The following chart summarizes the controls expected to have the most effect against impact stage techniques and the McAfee solutions to implement those controls where applicable:<\/p>\n

The public leak site of Cuba ransomware can be found via TOR: http:\/\/cuba4mp6ximo2zlo[.]onion\/<\/p>\n\n\n\n\n\n\n\n
MITRE Tactic<\/strong><\/td>\nMITRE Techniques<\/strong><\/td>\nCSC Controls<\/strong><\/td>\nMcAfee Portfolio Mitigation<\/strong><\/td>\n<\/tr>\n
Discovery<\/td>\nAccount Discovery (T1087)<\/td>\nCSC 4 <\/strong>Control Use of Admin Privileges<\/p>\n

CSC 5 <\/strong>Secure Configuration<\/p>\n

CSC 6 <\/strong>Log Analysis<\/td>\n

MVISION EDR, MVISION Cloud, Cloud Workload Protection<\/td>\n<\/tr>\n
Discovery<\/td>\nSystem Information Discovery (T1082)<\/td>\nCSC 4 <\/strong>Control Use of Admin Privileges<\/p>\n

CSC 5 <\/strong>Secure Configuration<\/p>\n

CSC 6 <\/strong>Log Analysis<\/td>\n

MVISION EDR, MVISION Cloud, Cloud Workload Protection<\/td>\n<\/tr>\n
Discovery<\/td>\nSystem Owner\/User Discovery (T1033)<\/td>\nCSC 4 <\/strong>Control Use of Admin Privileges<\/p>\n

CSC 5 <\/strong>Secure Configuration<\/p>\n

CSC 6 <\/strong>Log Analysis<\/td>\n

MVISION EDR, MVISION Cloud, Cloud Workload Protection<\/td>\n<\/tr>\n
Command and Control<\/td>\nEncrypted Channel (T1573)<\/td>\nCSC 8 <\/strong>Malware Defenses<\/p>\n

CSC 12 <\/strong>Boundary Defenses<\/td>\n

Web Gateway, Network Security Platform<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

Hunting for Cuba Ransomware Indicators<\/h2>\n

As a threat intel analyst or hunter, you might want to quickly scan your systems for any indicators you received on Cuba ransomware. Of course, you can do that manually by downloading a list of indicators and searching with available tools. However, if you have MVISION EDR and Insights, you can do that right from the console, saving precious time. Hunting the attacker can be a game of inches so every second counts. Of course, if you found infected systems or systems with indicators, you can take action to contain and start an investigation for incident response immediately from the MVISION EDR console.<\/p>\n

In addition to these IOCs, YARA rules are available in our technical analysis of Cuba ransomware<\/a>.<\/p>\n

IOCs:<\/h2>\n

Files:<\/strong><\/p>\n

151.bat<\/p>\n

151.ps1<\/p>\n

Kurva.ps1<\/p>\n

\u00a0<\/strong><\/p>\n

Email addresses:<\/strong><\/p>\n

under_amur@protonmail[.]ch<\/p>\n

helpadmin2@cock[.]li<\/p>\n

helpadmin2@protonmail[.]com<\/p>\n

iracomp2@protonmail[.]ch<\/p>\n

fedelsupportagent@cock.li<\/p>\n

admin@cuba-supp.com<\/p>\n

cuba_support@exploit.im<\/p>\n

 <\/p>\n

Domain:<\/strong><\/p>\n

kurvalarva[.]com<\/p>\n

 <\/p>\n

Script for lateral movement and deployment:<\/strong><\/p>\n

54627975c0befee0075d6da1a53af9403f047d9e367389e48ae0d25c2a7154bc<\/p>\n

c385ef710cbdd8ba7759e084051f5742b6fa8a6b65340a9795f48d0a425fec61<\/p>\n

40101fb3629cdb7d53c3af19dea2b6245a8d8aa9f28febd052bb9d792cfbefa6<\/p>\n

 <\/p>\n

Cuba Ransomware:<\/strong><\/p>\n

c4b1f4e1ac9a28cc9e50195b29dde8bd54527abc7f4d16899f9f8315c852afd4<\/p>\n

944ee8789cc929d2efda5790669e5266fe80910cabf1050cbb3e57dc62de2040
\n78ce13d09d828fc8b06cf55f8247bac07379d0c8b8c8b1a6996c29163fa4b659
\n33352a38454cfc247bc7465bf177f5f97d7fd0bd220103d4422c8ec45b4d3d0e<\/p>\n

672fb249e520f4496e72021f887f8bb86fec5604317d8af3f0800d49aa157be1
\ne942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30<\/p>\n

907f42a79192a016154f11927fbb1e6f661f679d68947bddc714f5acc4aa66eb
\n28140885cf794ffef27f5673ca64bd680fc0b8a469453d0310aea439f7e04e64
\n271ef3c1d022829f0b15f2471d05a28d4786abafd0a9e1e742bde3f6b36872ad
\n6396ea2ef48aa3d3a61fb2e1ca50ac3711c376ec2b67dbaf64eeba49f5dfa9df<\/p>\n

bda4bddcbd140e4012bab453e28a4fba86f16ac8983d7db391043eab627e9fa1<\/p>\n

7a17f344d916f7f0272b9480336fb05d33147b8be2e71c3261ea30a32d73fecb<\/p>\n

c206593d626e1f8b9c5d15b9b5ec16a298890e8bae61a232c2104cbac8d51bdd<\/p>\n

9882c2f5a95d7680626470f6c0d3609c7590eb552065f81ab41ffe074ea74e82<\/p>\n

c385ef710cbdd8ba7759e084051f5742b6fa8a6b65340a9795f48d0a425fec61
\n54627975c0befee0075d6da1a53af9403f047d9e367389e48ae0d25c2a7154bc
\n1f825ef9ff3e0bb80b7076ef19b837e927efea9db123d3b2b8ec15c8510da647
\n40101fb3629cdb7d53c3af19dea2b6245a8d8aa9f28febd052bb9d792cfbefa6<\/p>\n

00ddbe28a31cc91bd7b1989a9bebd43c4b5565aa0a9ed4e0ca2a5cfb290475ed<\/p>\n

729950ce621a4bc6579957eabb3d1668498c805738ee5e83b74d5edaf2f4cb9e<\/p>\n

 <\/p>\n

MITRE ATT&CK Techniques:<\/h2>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Tactic<\/td>\nTechnique<\/td>\nObservable<\/td>\nIOCs<\/td>\n<\/tr>\n
Execution<\/td>\nCommand and Scripting Interpreter: PowerShell (T1059.001)<\/td>\nCuba team is using PowerShell payload to drop Cuba ransomware<\/td>\nf739977004981fbe4a54bc68be18ea79<\/p>\n

68a99624f98b8cd956108fedcc44e07c<\/p>\n

bdeb5acc7b569c783f81499f400b2745<\/p>\n

 <\/td>\n<\/tr>\n

Execution<\/td>\nSystem Services: Service Execution (T1569.002)<\/td>\n<\/td>\n <\/p>\n

 <\/td>\n<\/tr>\n

Execution<\/td>\nShared Modules (T1129)<\/td>\nCuba ransomware links function at runtime<\/td>\nFunctions:<\/p>\n

\u201cGetModuleHandle\u201d<\/p>\n

\u201cGetProcAddress\u201d<\/p>\n

\u201cGetModuleHandleEx\u201d<\/td>\n<\/tr>\n

Execution<\/td>\nCommand and Scripting Interpreter (T1059)<\/td>\nCuba ransomware accepts command line arguments<\/td>\nFunctions:<\/p>\n

\u201cGetCommandLine”<\/td>\n<\/tr>\n

Persistence<\/td>\nCreate or Modify System Process: Windows Service (T1543.003)<\/td>\nCuba ransomware can modify services<\/td>\nFunctions:<\/p>\n

\u201cOpenService\u201d<\/p>\n

\u201cChangeServiceConfig\u201d<\/td>\n<\/tr>\n

Privilege Escalation<\/td>\nAccess Token Manipulation (T1134)<\/td>\nCuba ransomware can adjust access privileges<\/td>\nFunctions:<\/p>\n

\u201cSeDebugPrivilege\u201d<\/p>\n

\u201cAdjustTokenPrivileges\u201d<\/p>\n

\u201cLookupPrivilegeValue\u201d<\/td>\n<\/tr>\n

Defense Evasion<\/td>\nFile and Directory Permissions Modification (T1222)<\/td>\nCuba ransomware will set file attributes<\/td>\nFunctions:<\/p>\n

\u201cSetFileAttributes\u201d<\/td>\n<\/tr>\n

Defense Evasion<\/td>\nObfuscated files or Information (T1027)<\/td>\nCuba ransomware is using xor algorithm to encode data<\/td>\n<\/td>\n<\/tr>\n
Defense Evasion<\/td>\nVirtualization\/Sandbox Evasion: System Checks<\/td>\nCuba ransomware executes anti-vm instructions<\/td>\n<\/td>\n<\/tr>\n
Discovery<\/td>\nFile and Directory Discovery (T1083)<\/td>\nCuba ransomware enumerates files<\/td>\nFunctions:<\/p>\n

\u201cFindFirstFile\u201d<\/p>\n

\u201cFindNextFile\u201d<\/p>\n

\u201cFindClose\u201d<\/p>\n

\u201cFindFirstFileEx\u201d<\/p>\n

\u201cFindNextFileEx\u201d<\/p>\n

\u201cGetFileSizeEx\u201d<\/td>\n<\/tr>\n

Discovery<\/td>\nProcess Discovery (T1057)<\/td>\nCuba ransomware enumerates process modules<\/td>\nFunctions:<\/p>\n

\u201cK32EnumProcesses\u201d<\/td>\n<\/tr>\n

Discovery<\/td>\nSystem Information Discovery (T1082)<\/td>\nCuba ransomware can get keyboard layout, enumerates disks, etc<\/td>\nFunctions:<\/p>\n

\u201cGetKeyboardLayoutList\u201d<\/p>\n

\u201cFindFirstVolume\u201d<\/p>\n

\u201cFindNextVolume\u201d<\/p>\n

\u201cGetVolumePathNamesForVolumeName\u201d<\/p>\n

\u201cGetDriveType\u201d<\/p>\n

\u201cGetLogicalDriveStrings\u201d<\/p>\n

\u201cGetDiskFreeSpaceEx\u201d<\/td>\n<\/tr>\n

Discovery<\/td>\nSystem Service Discovery (T1007)<\/td>\nCuba ransomware can query service status<\/td>\nFunctions:<\/p>\n

\u201cQueryServiceStatusEx\u201d<\/td>\n<\/tr>\n

Collection<\/td>\nInput Capture: Keylogging (T1056.001)<\/td>\nCuba ransomware logs keystrokes via polling<\/td>\nFunctions:<\/p>\n

\u201cGetKeyState\u201d<\/p>\n

\u201cVkKeyScan\u201d<\/td>\n<\/tr>\n

Impact<\/td>\nService Stop (T1489)<\/td>\nCuba ransomware can stop services<\/td>\n<\/td>\n<\/tr>\n
Impact<\/td>\nData encrypted for Impact (T1486)<\/td>\nCuba ransomware encrypts data<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

Proactively Detecting Cuba Ransomware Techniques<\/h2>\n

Many of the exploit stage techniques in this attack could<\/em><\/strong> use legitimate Windows processes and applications to either exploit or avoid detection. We discussed, above, how the Endpoint Protection Platform can disrupt weaponized documents but, by using MVISION EDR, you can get more visibility. As security analysts, we want to focus on suspicious techniques used by Initial Access, as this attack\u2019s Initial Access is unknown.<\/p>\n

Monitoring or Reporting on Cuba Ransomware Events<\/h2>\n

Events from McAfee Endpoint Protection and McAfee MVISION EDR play a key role in Cuba ransomware incident and threat response. McAfee ePO centralizes event collection from all managed endpoint systems. As a threat responder, you may want to create a dashboard for Cuba ransomware-related threat events to understand your current exposure.<\/p>\n

Summary<\/h2>\n

To defeat targeted threat campaigns, defenders must collaborate internally and externally to build an adaptive security architecture which will make it harder for threat actors to succeed and build resilience in the business. This blog highlights how to use McAfee\u2019s security solutions to prevent, detect and respond to Cuba ransomware and attackers using similar techniques.<\/p>\n

McAfee ATR is actively monitoring this campaign and will continue to update McAfee Insights and its social networking channels with new and current information. Want to stay ahead of the adversaries? Check out McAfee Insights<\/a> for more information.<\/p>\n","protected":false},"excerpt":{"rendered":"

Cuba Ransomware Overview Over the past year, we have seen ransomware attackers change the way they have responded to organizations…<\/p>\n","protected":false},"author":1255,"featured_media":119758,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[7714],"class_list":["post-119710","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"\nMcAfee Defender\u2019s Blog: Cuba Ransomware Campaign | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Cuba Ransomware Overview Over the past year, we have seen ransomware attackers change the way they have responded to organizations that have either chosen\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"McAfee Defender\u2019s Blog: Cuba Ransomware Campaign | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Cuba Ransomware Overview Over the past year, we have seen ransomware attackers change the way they have responded to organizations that have either chosen\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-04-06T17:00:03+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-06-25T09:21:33+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/Lock-e1617651225265.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"618\" \/>\n\t<meta property=\"og:image:height\" content=\"348\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Colby Burkett\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Colby Burkett\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/\"},\"author\":{\"name\":\"Colby Burkett\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/44e52380b30d43439e2c136b3f3622ef\"},\"headline\":\"McAfee Defender\u2019s Blog: Cuba Ransomware Campaign\",\"datePublished\":\"2021-04-06T17:00:03+00:00\",\"dateModified\":\"2024-06-25T09:21:33+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/\"},\"wordCount\":2353,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/Lock-e1617651225265.jpeg\",\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/\",\"name\":\"McAfee Defender\u2019s Blog: Cuba Ransomware Campaign | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/Lock-e1617651225265.jpeg\",\"datePublished\":\"2021-04-06T17:00:03+00:00\",\"dateModified\":\"2024-06-25T09:21:33+00:00\",\"description\":\"Cuba Ransomware Overview Over the past year, we have seen ransomware attackers change the way they have responded to organizations that have either chosen\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/Lock-e1617651225265.jpeg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/Lock-e1617651225265.jpeg\",\"width\":618,\"height\":348},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"McAfee Defender\u2019s Blog: Cuba Ransomware Campaign\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/44e52380b30d43439e2c136b3f3622ef\",\"name\":\"Colby Burkett\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/f55212b598425b99f82ba76f78b914fc\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/colby2_small-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/colby2_small-96x96.jpg\",\"caption\":\"Colby Burkett\"},\"description\":\"Colby Burkett is an XDR Architect at McAfee. He came to McAfee just over 10 years ago from a one of our customers. His original focus was in the endpoint\/device security space and has expanded over time. He has spent time as an SE, Regional Specialist, ETS\/ATS, and even a brief stint as our Endpoint Technical Director. Most recently, he has focused on the topics of digital forensics and incident response. Colby has been spending a great deal of time with our current and potential MVISION EDR customers and has received accolades from our customers over the years. Colby is a GIAC Certified Forensics Analyst (GCFA)and holds several Microsoft certifications including Azure and his MCSE.\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/colby-burkett\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"McAfee Defender\u2019s Blog: Cuba Ransomware Campaign | McAfee Blog","description":"Cuba Ransomware Overview Over the past year, we have seen ransomware attackers change the way they have responded to organizations that have either chosen","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"McAfee Defender\u2019s Blog: Cuba Ransomware Campaign | McAfee Blog","og_description":"Cuba Ransomware Overview Over the past year, we have seen ransomware attackers change the way they have responded to organizations that have either chosen","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2021-04-06T17:00:03+00:00","article_modified_time":"2024-06-25T09:21:33+00:00","og_image":[{"width":618,"height":348,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/Lock-e1617651225265.jpeg","type":"image\/jpeg"}],"author":"Colby Burkett","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"Colby Burkett","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/"},"author":{"name":"Colby Burkett","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/44e52380b30d43439e2c136b3f3622ef"},"headline":"McAfee Defender\u2019s Blog: Cuba Ransomware Campaign","datePublished":"2021-04-06T17:00:03+00:00","dateModified":"2024-06-25T09:21:33+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/"},"wordCount":2353,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/Lock-e1617651225265.jpeg","articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/","name":"McAfee Defender\u2019s Blog: Cuba Ransomware Campaign | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/Lock-e1617651225265.jpeg","datePublished":"2021-04-06T17:00:03+00:00","dateModified":"2024-06-25T09:21:33+00:00","description":"Cuba Ransomware Overview Over the past year, we have seen ransomware attackers change the way they have responded to organizations that have either chosen","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/Lock-e1617651225265.jpeg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/Lock-e1617651225265.jpeg","width":618,"height":348},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-defenders-blog-cuba-ransomware-campaign\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"McAfee Defender\u2019s Blog: Cuba Ransomware Campaign"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/44e52380b30d43439e2c136b3f3622ef","name":"Colby Burkett","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/f55212b598425b99f82ba76f78b914fc","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/colby2_small-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/colby2_small-96x96.jpg","caption":"Colby Burkett"},"description":"Colby Burkett is an XDR Architect at McAfee. He came to McAfee just over 10 years ago from a one of our customers. His original focus was in the endpoint\/device security space and has expanded over time. He has spent time as an SE, Regional Specialist, ETS\/ATS, and even a brief stint as our Endpoint Technical Director. Most recently, he has focused on the topics of digital forensics and incident response. Colby has been spending a great deal of time with our current and potential MVISION EDR customers and has received accolades from our customers over the years. Colby is a GIAC Certified Forensics Analyst (GCFA)and holds several Microsoft certifications including Azure and his MCSE.","url":"https:\/\/www.mcafee.com\/blogs\/author\/colby-burkett\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/119710","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/1255"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=119710"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/119710\/revisions"}],"predecessor-version":[{"id":195267,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/119710\/revisions\/195267"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/119758"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=119710"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=119710"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=119710"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=119710"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}