The CISA and the FBI have jointly issued an alert to warn organizations about the rising attacks from the Cuba ransomware group. According to the advisory, the prolific ransomware gang has hit over 100 organizations around the world, making a profit of over $60 million from ransom payments.
A flash alert released in December 2021 disclosed the threat actor’s continuous attacks against U.S. entities across five critical sectors while demanding a ransom of up to $74 million.
Top highlights
The newly released joint advisory warns that Cuba ransomware attacks are targeting critical infrastructure, financial services, healthcare, information technology, and government services, among other industries.
This year, the ransomware actors updated their TTPs with new exploit kits and RATs.
A possible link between Cuba ransomware actors, RomCom RAT actors, and Industrial Spy ransomware actors was also established.
In addition to deploying ransomware, the actors also use double extortion techniques to demand ransom from victim organizations.
Attack methods
Among the known techniques used by Cuba ransomware, are phishing emails, compromised credentials, legitimate RDP tool, and vulnerabilities in software.
Some of the targeted vulnerabilities in the recent attack campaigns include CVE-2022-24521 in Windows Common Log File System (CLFS) driver and CVE-2020-1472 (Zerologon) in Microsoft Netlogon process.
After gaining initial access, the actors distribute the ransomware on compromised systems through the Hancitor loader.
Conclusion
The FBI and the CISA have made several recommendations to prevent attackers from being able to use common techniques to enter a network and deploy ransomware. A key recommendation includes keeping all operating systems and software updated.