The risk actors behind Cuba (aka COLDDRAW) ransomware have obtained additional than $60 million in ransom payments and compromised in excess of 100 entities throughout the world as of August 2022.
In a new advisory shared by the U.S. Cybersecurity and Infrastructure Security Company (CISA) and the Federal Bureau of Investigation (FBI), the companies highlighted a “sharp improve in both the quantity of compromised U.S. entities and the ransom amounts.”
The ransomware crew, also regarded as Tropical Scorpius, has been noticed focusing on economic solutions, authorities amenities, healthcare, critical producing, and IT sectors, while at the same time increasing its ways to achieve original accessibility and interact with breached networks.
The entry level for the attacks includes the exploitation of known security flaws, phishing, compromised qualifications, and respectable remote desktop protocol (RDP) instruments, followed by distributing the ransomware by means of Hancitor (aka Chanitor).
Some of the flaws included by Cuba into its toolset are as follows –
- CVE-2022-24521 (CVSS score: 7.8) – An elevation of privilege vulnerability in Windows Popular Log File System (CLFS) Driver
- CVE-2020-1472 (CVSS rating: 10.) – An elevation of privilege vulnerability in Netlogon distant protocol (aka ZeroLogon)
“In addition to deploying ransomware, the actors have utilised ‘double extortion’ approaches, in which they exfiltrate target details, and (1) desire a ransom payment to decrypt it and, (2) threaten to publicly release it if a ransom payment is not produced,” CISA famous.
Cuba is also stated to share backlinks with the operators of RomCom RAT and an additional ransomware spouse and children named Industrial Spy, in accordance to new conclusions from BlackBerry and Palo Alto Networks Unit 42.
The RomCom RAT is distributed by means of trojanized versions of legit program this sort of as SolarWinds Network Overall performance Watch, KeePass, PDF Reader Pro, and Innovative IP Scanner, pdfFiller, and Veeam Backup & Replication that are hosted on counterfeit lookalike web-sites.
The advisory from CISA and FBI is the latest in a sequence of alerts about diverse ransomware strains in new months this kind of as MedusaLocker, Zeppelin, Vice Modern society, Daixin Staff, and Hive.
Located this short article interesting? Comply with us on Twitter and LinkedIn to study extra special information we post.
Some sections of this posting are sourced from: