A joint statement by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) said the number of entities targeted by the group has doubled since last year, and so have their ransom demands. The group continues to target individuals and organizations in the five critical sectors that the FBI highlighted in its December 2021 advisory: finance, government, healthcare, manufacturing, and information technology. The FBI and CISA urged organizations to take precautions to limit their exposure to the Cuba gang and other ransomware groups.
$60 Million in Ransom Payments
According to the FBI and CISA’s joint advisory, the Cuba ransomware gang compromised over 100 entities between January and August. In the same period, they demanded over $145 million in ransom and received over $60 million. The advisory says the Cuba ransomware group has been using previously undocumented tactics, techniques, and procedures (TTPs). The group has been linked with the RomCom remote access Trojan (RAT) and the Industrial Spy ransomware. The Cuba gang uses different techniques to breach the networks of their targets. The group exploits known vulnerabilities in commercial software, conducts phishing campaigns, and utilizes compromised credentials and remote desktop protocol (RDP) tools. After gaining access, the gang uses a dropper called Hancitor to deliver the ransomware payload. They use other tools to evade detection while moving laterally within their victim’s network.
Cuba Gang’s Track Record
Despite the name, the Cuba ransomware gang has no links to the island nation in the Caribbean sea. Instead, the group has been linked to Russian threat actors. The Cuba gang first appeared on the radar of security agencies in 2019. The group has been linked with several attacks, including an August 2022 ransomware attack on the government of Montenegro. Last year, the Cuba gang targeted a third-party contractor for the California DMV. The FBI and CISA said the group uses double extortion techniques. The agencies warned targeted organizations against giving in to the group’s ransom demands. “FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities,” the advisory states. The FBI and CISA urged organizations targeted by the Cuba gang to report the incident to a local FBI Field Office or CISA at cisa.gov/report. We recommend checking out the advisory for more information, like indicators of compromise and a complete list of the group’s TTPs.