Cuba Ransomware hits 49 US organizations says the FBI

The FBI has identified and disclosed that 49 US organizations have been compromised by Cuba Ransomware Gang. This was disclosed as part of the FBI flash report and has been mentioned that the Cuba ransomware actors have compromised these organizations as on November 2021, which includes almost all the industries in the market starting with government, healthcare, information technology, manufacturing, and federal bodies.

And as per the FBI, the ransomware actors have already made $40 million over such horrendous acts. The FBI together with CISA were able to share the details of these incidents and the numbers as a report.

How was Cuba ransomware distributed?

The ransomware operators have made use of the Hancitor malware downloader to distribute the Cuba ransomware to the organizations. Hancitor has been a popular means for distributing Remote Access Trojans (RATs), Stealers, and other ransomware.

Zscaler did identify that Hancitor was used in distribution of Vawtrak trojan, then later the same Hancitor had facilitated the deployment of Pony, Ficker, Cobalt Striker and other malware.

Hancitor initially uses the most common breaching technique ‘Phishing’, then steals the credentials of the targeted audience, exploits the MS vulnerabilities, and then breach via RDP tools for lateral distribution.

In the Cuba ransomware case the legitimate services from Windows were used for distribution and remote deployments. The encryption happens then with ‘.cuba’ extension.

FBI requests for assistance if Cuba ransomware is spotted

The FBI has requested for information from sysadmins and security professionals if they detect .cuba extension in their network. The boundary logs with communication involving the IP addresses, Bitcoin wallet info, and other details are requested for further investigation and narrowing down the ransomware actors.

Though the organizations are cornered to make ransom payments if they fall for Cuba, the FBI has advised not to do so as there is no guarantee that the threat actors will play a fair game here. Hence if organizations face such threats they are advised to reach out to the local FBI offices for assistance.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit. You can reach out to us via Twitter or Facebook, for any advertising requests.