Cuba Ransomware is Back With an Updated Encryptor

Diving into details

• The samples from that period used a custom downloader, named BUGHATCH, which has not been used in previous attacks.
• Another strain surfaced in late April, which targeted two organizations in Asia. 
• While the updates have not been anything drastic, they come with additional functionalities such as optimized execution, reduced unintended system behavior, and tech support for victims to negotiate ransoms. 
• The latest variants can terminate MySQL, MySQL80, MSDTC, SQLSERVERAGENT, outlook.exe, MSExchangeUM, and sqlservr.exe, among others.
• Another notable update includes an extension of the safelisted directories and file extensions that will not be encrypted.

Variant comparison

• The April variant when compared to the older ones revealed that the former only retained two commands from the latter. They are directory- and location-related phrases.  
• While the ransom note texts vary in the March and April samples, the onion site in them remains the same. 
• The latest ransom note threatens double-extortion, while the March variant did not have any explicit threats of publishing stolen data. 

Some ransomware stats your way

• The first quarter of the year witnessed more than 150 networks accessed in ransomware attacks by BlackCat, BlackByte, and Quantum. 
• Since the beginning of 2022, 48 government organizations across 21 nations have been targeted by 13 distinct ransomware actors. 
• The SideWinder APT group has launched more than 1,000 attacks since April 2020. 
• According to a Zscaler report, ransomware attacks have increased by 80% year-over-year as the RaaS model has gained popularity among ransomware families. 
• The healthcare sector observed a rise of 650% and the restaurant and food service industry saw a rise of 450% in ransomware attacks. 

The bottom line