The gang is working with a assortment of instruments and malware to have out attacks in quantity on critical sectors, the FBI warned.
The “Cuba” ransomware gang has settled into a groove, compromising at least 49 entities in 5 critical sectors in the U.S. as of November, the FBI has warned.
In a flash alert, the Feds attributed a rash of attacks on U.S. entities in the fiscal, authorities, healthcare, producing and data technology sectors to the group. Collectively, the hits resulted in the extortion of $44 million in ransom payments. Which is a minor far more than 50 % of the $74 million that the Cuba gang in fact demanded across the attacks, indicating that businesses continue to be split on no matter if or not to pay out up.
The FBI did not name specific victims, but previous month the bureau also warned that the group is focusing on tribal casinos all through the U.S.
We want to know what your biggest cloud security concerns and problems are, and how your company is dealing with them. Weigh in with our exceptional, anonymous Threatpost Poll!
The FBI famous that the Cuba ransomware is dispersed making use of a to start with-phase implant that functions as a loader for abide by-on payloads: the Hancitor malware, which has been all over for at the very least 5 decades. Hancitor operators attain preliminary obtain to focus on devices applying phishing e-mails, exploitation of Microsoft Trade vulnerabilities, compromised credentials or respectable Remote Desktop Protocol (RDP) tools, in accordance to the FBI’s notify.
Just after Hancitor is in position, Cuba ransomware actors also use authentic Windows solutions – these types of as PowerShell, PsExec and Cobalt Strike, the genuine pen-tests tool that cybercrooks have turned to en masse to support in lateral movement. The software takes advantage of beacons to efficiently determine exploitable vulnerabilities inside of a focus on setting.
“A Cobalt Strike beacon [is installed] as a support on the victim’s network by means of PowerShell,” according to the FBI’s investigation. “Once put in, the ransomware downloads two executable files, which include ‘pones.exe’ for password acquisition and ‘krots.exe,’ also known as KPOT, enabling the Cuba ransomware actors to compose to the compromised system’s short term (TMP) file.”
As soon as the TMP file is uploaded, KPOT is deleted and the TMP file is executed in the compromised network – a trick meant to cover the ransomware’s tracks.
“The TMP file incorporates API phone calls similar to memory injection that, at the time executed, deletes itself from the program,” the alert examine. “Upon deletion of the TMP file, the compromised network begins communicating with a claimed malware repository found at Montenegro-based domain, teoresp.com.”
The Cuba crooks also use MimiKatz malware to steal qualifications from victims, and then use remote desktop protocol (RDP) to log into the compromised network host with a certain person account, the FBI stated.
“Once an RDP link is full, the Cuba ransomware actors use the Cobalt Strike server to converse with the compromised person account,” in accordance to the assessment. “One of the preliminary PowerShell script features allocates memory area to run a foundation64-encoded payload. At the time this payload is loaded into memory, it can be made use of to get to the distant command-and-control (C2) server [kurvalarva[dot]com], and then deploy the following phase of information for the ransomware.”
Target documents are encrypted with the “.cuba” extension, supplying the ransomware its title.
The assessment arrives on the heels of a joint FBI/CISA warning for corporations to be additional-vigilant through the holiday getaway season, when lots of offices close for times and IT workers may have taken their eyes off the ball.
“Although neither CISA nor the FBI currently have determined any unique threats, latest 2021 developments show destructive cyberactors launching severe and impactful ransomware attacks through holidays and weekends, like Independence Day and Mother’s Working day weekends,” in accordance to the warning.
“Ransomware threats are constantly evolving,” Mieng Lim, vice president of solution administration at Digital Defense by HelpSystems, stated by means of email. “From the commoditization of ransomware by the new availability of as-a-assistance tools, to significantly subtle attack procedures, it is a threat landscape that calls for frequent checking and schooling from corporations and governments alike.”
Group can consider actions to defend by themselves by applying nicely-known finest methods, these as person consciousness instruction on spotting phishing e-mail, timely patching, email security solutions, typical penetration testing and vulnerability scanning, network segregation, info encryption, distant backups, and getting a strong and examined incident-reaction playbook, Lim extra.
“Unfortunately, we reside in an period where preventing 100 percent of cyber-risks is no lengthier feasible, but continuous vigilance, ongoing cyber-risk training, and a well-prepared risk detection and reaction system will go a lengthy way towards retaining your organization’s most delicate info risk-free,” Lim observed.
There’s a sea of unstructured details on the internet relating to the most up-to-date security threats. Register Today to study vital principles of purely natural language processing (NLP) and how to use it to navigate the facts ocean and insert context to cybersecurity threats (without having staying an skilled!). This Dwell, interactive Threatpost Town Corridor, sponsored by Quick 7, will aspect security researchers Erick Galinkin of Swift7 and Izzy Lazerson of IntSights (a Speedy7 firm), moreover Threatpost journalist and webinar host, Becky Bracken.
Sign-up NOW for the Reside celebration!
Some components of this short article are sourced from: