Cuba ransomware, first observed in February 2020, reportedly attacked 49 organizations across five critical infrastructure sectors and raked around $43.9 million in ransom, in 2021. The operation is now back with a new malware variant.

Diving into details

The ransomware resurfaced in March and April this year, found Trend Micro. 
  • The samples from that period used a custom downloader, named BUGHATCH, which has not been used in previous attacks.
  • Another strain surfaced in late April, which targeted two organizations in Asia. 
  • While the updates have not been anything drastic, they come with additional functionalities such as optimized execution, reduced unintended system behavior, and tech support for victims to negotiate ransoms. 
  • The latest variants can terminate MySQL, MySQL80, MSDTC, SQLSERVERAGENT, outlook.exe, MSExchangeUM, and sqlservr.exe, among others.
  • Another notable update includes an extension of the safelisted directories and file extensions that will not be encrypted.

Variant comparison

  • The April variant when compared to the older ones revealed that the former only retained two commands from the latter. They are directory- and location-related phrases.  
  • While the ransom note texts vary in the March and April samples, the onion site in them remains the same. 
  • The latest ransom note threatens double-extortion, while the March variant did not have any explicit threats of publishing stolen data. 

Some ransomware stats your way

  • The first quarter of the year witnessed more than 150 networks accessed in ransomware attacks by BlackCat, BlackByte, and Quantum. 
  • Since the beginning of 2022, 48 government organizations across 21 nations have been targeted by 13 distinct ransomware actors. 
  • The SideWinder APT group has launched more than 1,000 attacks since April 2020. 
  • According to a Zscaler report, ransomware attacks have increased by 80% year-over-year as the RaaS model has gained popularity among ransomware families. 
  • The healthcare sector observed a rise of 650% and the restaurant and food service industry saw a rise of 450% in ransomware attacks. 

The bottom line

New malware variants are emerging on a regular basis as threat actors are attempting to monetize the vast attack surface. Establishing robust security frameworks is the need of the hour. The resurgence of Cuba ransomware implies that the gang will continue to be a threat. 

Cyware Publisher