In a joint cybersecurity advisory, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) provide information on the tactics, techniques, and procedures (TTPs) employed by the Cuba Ransomware group in addition to indicators of compromise (IoCs) to support network defenders in strengthening their defenses against threats and to identify computer intrusions sooner. According to the Health Sector Cybersecurity Coordination Center, the organization poses a serious threat to the healthcare and public health sector. The recent cybersecurity advisory has been issued to update a previous advisory released in December 2021 in order to inform susceptible organizations on the gang’s modified TTPs and introduce further mitigations.
Since December 2021, the Cuba ransomware gang has doubled its attacks in the United States. The gang has demanded more than $145 million in ransom from more than 100 organizations all across the world, and it is known that a minimum of $60 million has been paid so far. At least 65 critical infrastructure organizations in the United States are known to have been targeted by the group. These organizations include those involved in critical manufacturing, information technology, healthcare and public health, government facilities, financial services, and financial services.
The security advisory notes similarities between the infrastructure employed by the Cuba ransomware gang and other threat actors such as RomCom RAT and Industrial Spy. The threat group typically uses RomCom RAT to gain access and control of the ransomware and then utilizes the same online market used by Industrial Spy actors if the victims fail to pay the ransom within the allowed time period. It has been reported that the Cuba ransomware gang had launched an attack on a health organization using the RomCom RAT, indicating close ties between the three organizations.
According to the FBI and CISA, the Cuba ransomware group employs a number of techniques to first gain access to the networks of its victims. These include, compromised credentials, remote desktop protocol tools, phishing, and exploiting vulnerabilities in unpatched commercial software. Once access is obtained, the ransomware is spread via the Hancitor loader, which is also employed to deploy RATs (remote access tools) and other malicious payloads. The data is then encrypted and withdrawn from the system in order to coerce Victims into meeting the gang’s ransom demands.