Detect Cuba Ransomware Threat Group Infections: New Tooling Applied in Attacks Against Critical Infrastructure Organizations in the U.S.

Being active since 2019, Cuba ransomware operators constantly evolve their attack methods and seem not to stop that. The most recent malicious operations against organizations in the U.S. and Latin America rely on the combination of novel and older tooling. Particularly, Cuba maintainers added a Veeam exploit (CVE-2023-27532) to their offensive toolkit to obtain sensitive data from the targeted users.

Detect Cuba Ransomware Group Attacks

With more sophisticated TTPs added to the ransomware landscape, cybersec practitioners strive to overspeed the adversaries and detect possible intrusions at the earliest stages. SOC Prime Platform for collective cyber defense curates a set of relevant Sigma rules to help security performers proactively detect the constantly evolving Cuba ransomware attack chains. All detection algorithms are compatible with the leading SIEM, EDR, XDR, and Data Lake formats while being mapped to MITRE ATT&CK v12.

Hit the Explore Detections button below to obtain the entire direction stack enriched with contextual metadata, including ATT&CK references and CTI links.

Explore Detections

Cuba Ransomware Attack Analysis

Cuba ransomware operators have been performing malicious operations for over four years, becoming a hard nut to crack for defenders. In 2021, hackers distributed SystemBC malware along with other nefarious RaaS affiliates, including DarkSide and Ryuk. In 2022, the group reemerged, leveraging new TTPs and a more sophisticated adversary toolkit, such as ROMCOM RAT, and abusing the infamous ZeroLogon flaw, CVE-2020-1472. In October 2022, the hacking collective, also tracked as Tropical Scorpius, was linked to a massive phishing campaign against Ukrainian state bodies leveraging a lure attachment and spreading ROMCOM backdoor.

The Cuba ransomware operators, allegedly linked to the russian offensive forces, frequently experiment with different malware samples and offensive tools. The code analysis has also supported the theory of the group’s russian origin.

In 2023, adversaries were observed behind a series of sophisticated intrusions targeting companies in multiple industry sectors. The BlackBerry team has recently issued research covering June’s campaign by Cuba maintainers, in which adversaries target organizations in U.S. and Latin America. Hackers employ tools that have proved to be successful in earlier adversary campaigns, along with taking advantage of novel offensive capabilities. In the latest attacks, the Cuba threat group attempts to exploit CVE-2023-27532, a flaw in Veeam Backup & Replication component. Successful exploitation attempts enable attackers to access the backup infrastructure hosts.

The investigation by BlackBerry researchers into the latest cyber attacks by the above-mentioned group has uncovered the adversary’s use of BUGHATCH and BURNTCIGAR, Metasploit, and Cobalt Strike frameworks in addition to multiple LOLBINS with some samples of PoC exploit code publicly available. 

Similar to multiple ransomware maintainers, Cuba applies double extortion enabling adversaries to exfiltrate the sensitive data of the compromised users along with encrypting it while forcing victims into paying ransom. In the fall of 2023, CISA and FBI released a joint cybersecurity heads-up notifying defenders of the increasing threats related to the Cuba group’s adversary activity and aimed to help organizations risk-optimize their cybersecurity posture.

Cuba has been applying similar TTPs throughout their entire activity in the cyber threat arena, slightly updating them in 2023. In one of the most recent attacks targeting the U.S. organization, adversaries applied a credential reuse technique. Earlier, they made successful attempts to exploit security gaps or Initial Access Brokers (IABs) to maintain access to the targeted systems. 

Commonly, at the initial attack stages, Cuba leverages BUGHATCH downloader to establish a connection with C2 and further drop a payload, run malicious commands, or execute weaponized files. As for Metasploit, hackers leverage this open-source framework to gain initial access to the targeted environment. Once executed, the malware decrypts and executes a shell code that leads to running a payload.  

Cuba takes advantage of adversary techniques to evade detection, namely the Bring Your Own Vulnerable Driver / Bring Your Own Driver (BYOVD) technique. Also, hackers were observed weaponizing the nefarious Zerologon vulnerability and the CVE-2023-27532 flaw, the latter also exploited by the Fin7 group in spring 2023. 

The adversary toolkit of the Cuba ransomware group also includes a set of built-in utilities like ping.exe used for discovery and cmd.exe for moving laterally across the compromised environment, while the Cobalt Strike Beacon has been leveraged for privilege escalation and C2 communication.

Cyber defenders recommend applying reliable email gateway and data backup solutions, implementing multi-factor authentication, and constantly keeping software up-to-date via best patch management practices to timely remediate Cuba ransomware threats.

With Cuba ransomware maintainers reviving their activity in the cyber threat arena, progressive organizations are striving to proactively detect ransomware attacks and future-proof cyber resilience. Leverage Uncoder AI to streamline IOC matching, improve the quality of detection code, and instantly translate your Sigma rules to 44 SIEM, EDR, and XDR language formats while avoiding vendor lock-in.