Alert (AA22-335A) #StopRansomware: Cuba Ransomware

Description

FortiGuard Labs is aware of that the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory for Cuba ransomware as part of their #StopRansomware effort. The advisory states that the number of organizations in the United States that were victimized by Cuba ransomware has increased since December 2021.


Why is this Significant?

This is significant because Cuba ransomware has reportedly victimized over 100 organizations across multiple industries including, but not limited to - infrastructure in the U.S. since December 2021 and extorted large sums of money from the victims.


What is Cuba Ransomware?

Cuba is a ransomware strain that has been around since at least 2019 and has reportedly victimized more than 100 organizations globally. According to the advisory, infection vectors used by the Cuba threat actors include emails, use of stolen credentials, RDP (Remote Desktop Protocol) session hijacking, exploitation of vulnerabilities such as CVE-2022-24521 and CVE-2020-1472. Also, the use of Hancitor malware was reportedly observed to deploy Cuba ransomware after victims' network were breached.


Once Cuba ransomware is deployed, it encrypts files on compromised machines, adds a ".cuba" file extension to the affected files, and drops a ransom note named "!! READ ME !!.txt". The primary contact channel is Tox (a peer-to-peer instant messaging protocol). An alternative e-mail address is typically included in the ransom notes.


FortiGuard Labs previously released a ransomware roundup blog on Cuba ransomware on August 18, 2022. See the Appendix for a link to "Alert (AA22-335A) #StopRansomware: Cuba Ransomware (CISA)".


What is the Status of Protection?

FortiGuard Labs provides the following AV signatures for Cuba ransomware:

  • W32/Agent.FEDD!tr
  • W32/Filecoder.OAE!tr
  • W32/Filecoder.OAE!tr.ransom
  • W32/Filecoder.OHL!tr
  • W32/GenKryptik.EMOA!tr
  • W32/Injector.EQGY!tr
  • W32/Kryptik.HFMU!tr
  • W32/Kryptik.HGXH!tr
  • W32/PossibleThreat

Some of the available files listed in the IOC section of the CISA advisory are detected by the following AV signatures:

  • W32/Agent.ADBQ!tr
  • W64/Agent.CP!tr.dldr
  • W32/GenKryptik.FSCS!tr
  • W32/PossibleThreat
  • PossibleThreat
  • PossibleThreat.PALLAS.H


FortiGuard Labs provides the following IPS coverage for the vulnerabilities reportedly leveraged by Cuba ransomware threat actors:

  • MS.Windows.CVE-2022-24521.Privilege.Elevation (CVE-2022-24521)
  • MS.Windows.Server.Netlogon.Elevation.of.Privilege (CVE-2020-1472)

FortiEDR protects customers from Cuba ransomware. See the Appendix for a link to "Threat Coverage: How FortiEDR protects against Cuba ransomware".