Connect with us

Cyber Security

Cuba ransomware returns to extorting victims with updated encryptor

Published

on

The Cuba ransomware operation has returned to regular operations with a new version of its malware found used in recent attacks.

Cuba ransomware’s activity reached a peak in 2021 when it partnered with the Hancitor malware gang for initial access. By the end of the year, it had breached 49 critical infrastructure organizations in the United States.

This year started less impressive for the ransomware gang, with few new victims. However, Mandiant spotted signs of tactical changes and experimentation that indicated the group is still active.

Now, Trend Micro analysts report seeing a resurgence in Cuba infections, starting in March and continuing strong until April 2022.

Cuba listing a large firm in the automotive production industry
Cuba ransomware listing a large firm in the car production industry

Cuba has listed three victims in April and one in May on its Tor site. However, the attacks that resulted in the publication of these files likely unfolded earlier.

While these aren’t impressive figures compared to other ransomware operations, “Cuba” is generally more selective, hitting only large organizations.

New variant discovered

In late April, a new binary sampled by Trend Micro included minor additions and changes that make the malware more dangerous for targeted entities. More importantly, though, it shows that the operation is still alive and actively developing its encryptor.

While the updates to Cuba ransomware did not change much in terms of overall functionality, we have reason to believe that the updates aim to optimize its execution, minimize unintended system behavior, and provide technical support to the ransomware victims if they choose to negotiate. – Trend Micro

The malware now terminates more processes before encryption, including Outlook, MS Exchange, and MySQL. Ransomware encryptors terminate services to prevent those applications from locking files and preventing them from being encrypted.

Malware's service termination
Malware’s service termination (Trend Micro)

Secondly, the exclusion list has been expanded with more directories and filetypes to be skipped during encryption. This helps maintain a working system after the attack and prevents execution loops that may result in corrupted files that can’t be restored, leaving victims with no incentive to pay for a decrypter.

Thirdly, the gang has updated its ransom notes, adding quTox for live victim support and stating that the threat actors will publish all stolen data on the Tor site if the demands aren’t met within three days.

Outlook

The refinement of the Cuba ransomware variant can only mean that the group will continue to be a threat to organizations in the following months, mainly those located in North America.

Cuba ransomware remains secure at this time, so there’s no available decryptor that victims can use to recover their files for free.

Therefore, taking regular data backups, implementing network segmentation, and keeping all systems up to date would be the best approach to dealing with the threat.

Source: https://www.bleepingcomputer.com/news/security/cuba-ransomware-returns-to-extorting-victims-with-updated-encryptor/

Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 Cyber Reports Cyber Security News All Rights Reserved Website by Top Search SEO