The FBI and the U.S. Infrastructure and Cyber Security Agency (CISA) report that as of August 2022, Cuba ransomware operators have received more than $60 million in ransom from their victims (initially, the hackers requested more than $145 million in ransoms) and have attacked more than 100 organizations around the world.

The new security bulletin is a direct continuation of a similar document from a year ago. Let me remind you that in December 2021, it was reported that the Cuba ransomware brought its authors about $43.9 million, compromising at least 49 organizations.

We also wrote that Cuba Ransomware Variant Involves Double-Extortion Scheme.

The FBI also said that the $43.9 million was just actual payments to the victims, but the hackers originally demanded more than $74 million from the victims, but some refused to pay.

The FBI and CISA added that in the past year, it became known that ransomware has been improving its tactics and methods, and now they are associated with the RomCom remote access trojan (RAT) and Industrial Spy ransomware.

Law enforcement officers also said at the time that they tracked Cuba attacks on systems infected with the Hancitor malware, which uses phishing emails, exploits vulnerabilities in Microsoft Exchange, compromised credentials, or RDP brute force to access vulnerable Windows machines. Once Hancitor is infected, access to such a system is rented out to other hackers using the Malware-as-a-Service model.

Interestingly, the statistics of the ID-Ransomware platform do not allow to call the Cuba ransomware particularly active, and this only proves that even such a ransomware can have a huge impact on victims and bring profit to its operators.

The post FBI Says Cuba Ransomware ‘Made’ $60 Million by Attacking More Than 100 Organizations appeared first on Gridinsoft Blog.

Let me remind you that we reported that New Cuba Ransomware Variant Involves Double-Extortion Scheme.

In their report, the researchers talk about the hack group Tropical Scorpius, which, apparently, is a “partner” of the Cuba ransomware. Let me remind you that this ransomware has been known to security specialists since 2019. He was most active at the end of 2021, when he was linked to attacks on 60 organizations in five critical infrastructure sectors (including financial and public sector, healthcare, manufacturing and IT), as a result of which hackers received at least $ 43.9 million in the form of ransoms.

The last notable Cuba update was recorded in the first quarter of 2022, when malware operators switched to an updated version of the ransomware with finer settings and added quTox support to communicate with their victims.

As Palo Alto Networks analysts now say, the aforementioned Tropical Scorpius group uses a standard Cuba payload that hasn’t changed much since 2019. One of the few updates in 2022 involves the use of a legitimate but invalid Nvidia certificate (previously stolen from the company by Lapsus$ hackers) to sign the kernel driver, which is used in the initial stages of infection. The task of this driver is to detect processes belonging to security products and kill them to help attackers avoid detection.

Tropical Scorpius uses a local privilege escalation tool based on an exploit for CVE-2022-24521, which was patched in April 2022.

The next attack phase of Tropical Scorpius involves loading ADFind and Net Scan to perform a lateral movement. Along with this, the attackers deploy a tool on the victim’s network that helps them obtain cached Kerberos credentials. Also, hackers can use the tool to exploit the notorious Zerologon vulnerability (CVE-2020-1472) to obtain domain administrator privileges.

At the end of the attack, Tropical Scorpius operators finally deploy ROMCOM RAT malware on the victim network, which communicates with command and control servers through ICMP requests performed through Windows API functions.

ROMCOM RAT supports ten main commands:

1. get information about the connected disk;
2. get lists of files for the specified directory;
3. run the reverse shell svchelper.exe in the %ProgramData% folder;
4. upload data to the management server as a ZIP file using IShellDispatch to copy files;
5. download data and write to worker.txt in the %ProgramData% folder;
6. delete the specified file;
7. delete the specified directory;
8. create a process with PID spoofing;
9. process only the ServiceMain received from the control server and “sleep” for 120,000 ms;
10. traverse running processes and collect their IDs.

Experts note that Tropical Scorpius hackers compiled the latest version of ROMCOM and uploaded it to VirusTotal on June 20, 2022. This version contains ten additional commands, giving attackers more control over executing and downloading files and terminating processes.

In addition, the new version supports receiving additional payloads from the C&C server, such as the Screenshooter screenshot tool.

The researchers conclude that with the emergence of Tropical Scorpius, the Cuba ransomware is turning into a more serious threat, although in general this ransomware cannot boast of a large number of victims.

The post Cuba Ransomware Operators Use Previously Unknown ROMCOM RAT appeared first on Gridinsoft Blog.

The Cuba ransomware family has got itself a new specimen. The new version of Cuba revealed itself in late April 2022 and was involved in the attack on two companies in Asia. Although the alterations in comparison to previous versions cannot be called crucial, some of them are worth mentioning.

The malware gets injected via the BUGHATCH downloader, which works in connection with its command and control center. The latter sends code (PowerShell scripts and portable executables to be run on the attacked computer. The downloader itself gets onto the compromised device via a link to a PowerShell script or a dropper Trojan, also written in Power Shell.
April Cuba variant has undergone some changes in terms of commands. Thus, “local” and “network” are the only two remaining commands that relate to directories and locations.

The list of services and processes that ransomware terminates upon arrival has been somewhat extended and now comprises 47 items, mostly ensuring Microsoft Exchange and SQL-related services are cut-off.
The exclusion list of folders for the malware not to harm is also extended to 16 directories with the Google folder protected alongside expected Windows and Program Files ones. The extensions safe-listed from encryption are: .exe, .dll, .sys, .ini, .lnk, .vbm, and, understandably, .cuba.

Two-level extortion

The new Cuba is very caring when it eventually comes to racketeering. This time it’s a double-extortion scheme. If the victim does not contact the criminals in three days, the hackers threaten to expose the extracted data from the targeted machine.

Such threats are not bluff, unfortunately. It happened before to CD Project game development company as unfinished materials of Cyberpunk 2077 game were published on the web as a result of a double-layer ransomware attack in February 2021.

Malefactors also give thorough facilitation to those ready to cooperate. To make communication easier they have a quTox account.

The post New Cuba Ransomware Variant Involves Double-Extortion Scheme appeared first on Gridinsoft Blog.