Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Cuba Ransomware Is Back - With New Infection Techniques

New Variant Optimizes Execution, Minimizes Unintended System Behavior
Cuba Ransomware Is Back - With New Infection Techniques
More Cuba ransomware attacks are expected, likely with more updates to its malware. (Source: ISMG)

The Cuba ransomware group, which has previously targeted critical infrastructure organizations in the U.S., has updated its malware to "optimize" execution and "minimize" unintended system behavior, says security firm Trend Micro.

See Also: The Gorilla Guide to Modern Data Protection

The threat group, which was inactive between November 2021 and April 2022, resurfaced with an updated malware in April 2022, say researchers at Trend Micro and Elastic Security Labs.

Cuba ransomware victims and attack timeline listed on the group's dark web site (Source: Elastic Security Labs)

"Our monitoring showed that the malware authors seem to be pushing some updates to the current binary of a new variant. The samples we examined in March and April used BUGHATCH, a custom downloader that the malicious actor did not employ in previous variants specifically for the staging phase of the infection routine," Trend Micro's researchers say.

The New Variant

The Cuba ransomware group has previously deployed Hancitor malware, a loader known for dropping or executing stealers, such as remote access Trojans and other types of ransomware, according to a December 2021 FBI alert.

In April, the threat actor deployed the new variant against two Asian organizations, the Trend Micro researchers say. While the two variants don't appear to be too different in terms of functionality, the researchers say they "have reason to believe that the updates aim to optimize its execution, minimize unintended system behavior, and provide technical support to the ransomware victims if they choose to negotiate."

Trend Micro says attacks from the group are to be expected in the next few months, likely with more updates to its malware.

Additional Termination of Processes

A key change in the updated variant is that it allows the termination of processes related to the data base - MySQL - and Microsoft Exchange Servers. Trend Micro did not immediately respond to Information Security Media Group's request for information about the impact of this change.

Processes and services that the Cuba ransomware's new variant seeks to terminate (Source: Trend Micro)

Additions in Safelist

Another key addition in the new malware variant is the expansion of safelisted directories and file extensions. The Cuba ransomware has listed 16 directories and seven extensions on its safelist, which prevents the ransomware or malware from encrypting these particular elements. Trend Micro did not immediately respond to ISMG's request for information about the purpose of this feature.

Directories and extensions that the Cuba ransomware does not encrypt (Source: Trend Micro

New Ransom Note and Support

The third new feature is the change in ransom note. Cuba ransomware attack victims, Trend Micro says, can use a service called quTox to get technical support and negotiate ransom payments.

Malware Detection

To help detect the malware family used by Cuba, Elastic Security Labs has listed the YARA signatures and queries the ransomware group uses.

Unlike Trend Micro's researchers, the Elastic Security Labs researchers believe that the Cuba ransomware group has continued to follow repetitive - albeit effective - tactics, techniques and procedures for "initial access, lateral movement, exfiltration, ransomware deployment and extortion." The Elastic researchers add that the threat group is likely to "target North American and European retailers and manufacturers for cryptocurrency payments."

The Elastic Security Labs researchers say the threat group also uses other custom downloaders and payloads - such as BUGHATCH, Meterpreter, Mimikatz and Cobalt Strike - for data harvesting. These payloads, they say, may also be used for data exfiltration as they all have "data movement capabilities."

The group also uses a "diamond model" of intrusion.

Cuba ransomware group's "diamond model" of intrusion (Source: Elastic Security Labs)

The Industrial Spy Link

A separate report by Bleeping Computer suggests there may be a link between the Cuba ransomware group and the Industrial Spy marketplace used for the illicit sale of business data, intellectual property and trade secrets of top organizations. MalwareHunterTeam recently noticed that a new sample of the Industrial Spy malware appears more like a ransom note and less like an advertisement of its leak site.

Bleeping Computer's investigation found that the TOX ID and email address in Industrial Spy's ransom note was the same as the one used by Cuba Ransomware on VirusTotal.

"While this does not 100% tie the two groups together, it's very possible that the Industrial Spy threat actors simply used Cuba's information while testing the creation of their ransomware," the report says.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.