The US federal government has issued an notify about Cuba not the point out but a ransomware gang that is using millions in purloined earnings.
The Cuba gang has strike more than 100 companies around the world, demanding about $145 million in payments and efficiently extorting at the very least $60 million considering the fact that August, in accordance to a joint FBI and US Cybersecurity and Infrastructure Security Company (CISA) advisory.
In accordance to the protection inform:
The FBI to start with warned about the cybercrime gang in December 2021, and due to the fact then, the victim rely in the US alone has doubled. In that the similar time, the ransom payments received also jumped.
Private protection researchers have discovered feasible back links amongst Cuba ransomware criminals and their RomCom remote entry trojan (RAT) and Industrial Spy ransomware counterparts.
The crooks go on to target five essential infrastructure sectors: economic companies, govt, healthcare and community wellbeing, critical manufacturing, and IT, according to the FBI.
As the bureau previously noted, Cuba ransomware miscreants have a tendency to use recognised bugs in business software package, phishing e-mails, compromised qualifications, and distant desktop protocol applications to obtain original obtain to their victims’ networks. Once they have damaged in, they distribute Cuba ransomware on compromised techniques by way of Hancitor, a loader that can fall or execute other software package nasties together with RATs.
Given that the spring, the criminals have modified their tools to interact with compromised networks and extort payments, in accordance to Palo Alto Networks Unit 42 threat hunters. The stability shop’s investigate and consulting arm also identified the Cuba ransomware crooks exploiting certain known vulnerabilities and making use of reputable equipment to elevate privileges and burrow deeper into their victims’ environments.
This contains exploiting CVE-2022-24521 in the Windows Prevalent Log File System (CLFS) driver to steal method tokens and elevate privileges, making use of a PowerShell script to concentrate on support accounts for their linked Energetic Directory Kerberos ticket and employing KerberCache to extract cached Kerberos tickets from a host’s Regional Security Authority Server Company (LSASS) memory.
They are also known to exploit CVE-2020-1472, aka “ZeroLogon,” to attain domain administrative privileges.
Additionally, Device 42 has noticed the gang applying double extortion — this is exactly where they steal data, need a ransom to encrypt the facts, and then also threaten to leak the delicate details if the sufferer does not pay back up — and noted it began making use of the RomCom RAT for command and management in the spring.
Though Cuba ransomware attackers in the beginning used their leak web page to sell stolen knowledge, all-around May possibly they commenced marketing their details on Industrial Spy’s online marketplace.
The FBI also current its list of Cuba ransomware indicators of compromise (IOCs) that it has viewed all through danger response investigations as of late August, and this listing builds on to the previously IOC listing [PDF] from November 2021. ®