The FBI has released a flash alert regarding the Cuba ransomware group targeting the critical infrastructure of U.S. organizations across several key sectors of the economy.

What has happened?

According to the FBI, Cuba ransomware actors have compromised organizations across at least five sectors, including information technology, healthcare, manufacturing, government, and financial.
  • The group has already compromised the networks of 49 organizations so far.
  • It has made millions since it started targeting U.S. organizations. The group demanded different U.S. companies for $74 million in ransom and already received $43.9 million.

Attack tactics

  • Cuba ransomware is spread on victims' networks using the Hancitor downloader, which enables the ransomware group to obtain easy access to compromised corporate networks.
  • Once having access, Cuba uses genuine Windows services (e.g. PowerShell and PsExec) to deploy payloads remotely and encrypt files with .cuba extension.

A request for information sharing

The FBI has requested system admins and security professionals who spotted Cuba's ransomware activity within their networks to share any related information with their local FBI Cyber Squad.
  • The useful information includes wallet information, boundary logs showing communication with an outside IP address, the decryptor file, and a sample of an encrypted file.
  • The FBI suggested not to pay ransomware payments and recommended against it since there's no guarantee that attackers will provide the decryption keys or will not attack in the future.

Ending notes

The flash alert from the FBI is urging organizations to stay vigilant and take such threats very seriously. Cuba ransomware has already targeted several organizations and is still active. Thus, it is recommended to deploy robust anti-ransomware security measures to stay protected.

Cyware Publisher

Publisher

Cyware