Executive Summary
Late last year, the FBI issued a warning about the Cuba ransomware group. You may not have heard of them, but that doesn’t mean they shouldn’t be on your radar. In their warning, the FBI claimed that as of November 2021, “49 entities in five critical infrastructure sectors” had been compromised by the COLDDRAW ransomware used by the Cuba group, and they’re showing no signs of stopping. Another infamous group, HAFNIUM, made a name for themselves by targeting zero-day exploits, and it looks like Cuba are following in their footsteps.
What is the Cuba ransomware group?
Back in March 2021, companies around the world were left vulnerable after the state-sponsored HAFNIUM group identified vulnerabilities in Microsoft’s Exchange software, known as zero-days. The vulnerabilities, identified as ProxyLogon and ProxyShell, were exploited by HAFNIUM to deploy their ransomware. Now, in 2022, the Cuba ransomware group has been found to be exploiting these same vulnerabilities, as well as using other methods to access systems.
The ransomware group is also known as UNC2596, as well as COLDDRAW, which is the name of the ransomware they primarily use. The group has been spotted using a range of reconnaissance tools, as well as exchange vulnerabilities and known malware, to infect systems with their COLDDRAW ransomware and potentially carry out other malicious activity.
It’s been reported that the Cuba Ransomware group, after successfully compromising a system, deploys the COLDDRAW ransomware, and encrypts system files with the ‘.cuba’ extension, which they then demand ransom for the decryption. If the victim chooses not to pay the ransom, or just does not pay it in time, their data may be leaked and posted on the group’s shaming site (as shown in the image below).
How does the Cuba ransomware group gain entry?
The group has been observed using a range of bespoke tools for reconnaissance, including the following:
WEDGECUT - this reconnaissance tool arrives in the form of an executable labelled ‘check.exe,’ and is used to identify if a list of hosts or IP addresses are online
BURNTCIGAR – this is an endpoint security software termination tool, and can terminate processes by exploiting a flaw in the Avast driver.
BUGHATCH – this downloader receives commands and code from a C2 (command-and-control) server for execution on a compromised system.
There are multiple ways the group can gain access to systems. Other than using breached credentials and exploiting Microsoft Exchange vulnerabilities, they’ve also used the Hancitor malware (also known as Chanitor). This is an infamous malware loader, which, after connecting to a C2 server, downloads other malicious software such as COLDDRAW.
When it comes to the Microsoft Exchange vulnerabilities, the Cuba group is believed to be exploiting a particular set of flaws, which the Microsoft Security Response Center (MSRC) has identified under the Common Vulnerabilities and Exposures (CVE) system. Cuba will first attack CVE-2021-26855 to authenticate themselves, and then use CVE-2021-26857 to escalate their privileges to system access (essentially giving themselves full machine control). Finally, they could use the methods found under CVE-2021-26858 and CVE-2021-27065 to write and exfiltrate the sensitive data or, potentially, load COLDDRAW. All of these vulnerabilities should be looked at and patched or updated, if that hasn’t been done already.
Why should you care?
So far, the main documented targets have just been US entities, including organisations in the healthcare, manufacturing, IT, and finance sectors. According to the FBI, the Cuba group has extorted $43.9 million (or £33.4 million) from their victims so far. However, the risks of being attacked by this kind of ransomware group, and having your sensitive data laid bare, aren’t just financial. As well as paying a high ransom, your organisation and your brand will also suffer reputational damage, and potential clients will think twice about dealing with you in the future after a leak. You may also have to pay GDPR fines, and end up losing out on even more money. Even if you’re not in the US, you should still be looking to boost your cyber defences and patch any vulnerabilities, to protect your organisation from Cuba or any similar ransomware groups that might be out there. Gangs like these are always on the lookout for different ways to turn a profit, and exploiting unpatched vulnerabilities and successful social engineering is all in a day’s work for malicious actors.
How can you protect yourself?
We believe that cyber security should be available to everyone, which is why we recently published some emergency cyber hygiene advice on our blog. The post contains some very useful and crucial advice for anyone looking to bolster their cyber defences at the moment, and is worth a read. Cyber Security Associates also offers a wide range of bespoke training material, ranging from affordable enterprise e-learning courses to phishing campaign exercises, allowing you and your organisation to be prepared, and ensure provisions are met to guarantee that your data is as safe as it possibly can be. To find out more, don’t hesitate to get in touch with us.
