The FBI has New notice posted Regarding Cuban ransomware, it was explained that the organization attacked “49 entities in five critical infrastructure sectors” and paid a ransom of at least US$43.9 million.
In a notice issued on Friday, the FBI stated that the organization’s targets are businesses in the financial, government, healthcare, manufacturing, and information technology sectors while using Hancitor malware to enter Windows systems.
“Cuban ransomware is distributed through Hancitor malware, which is a loader known for releasing remote access Trojans (RAT) and other types of ransomware and other stealing programs onto the victim’s network,” the notice explained , And pointed out that the encrypted file has a “.cuba” extension.
“Hancitor malware attackers use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to the victim’s network. Subsequently, Cuban ransomware attackers use legitimate Windows services-such as PowerShell, PsExec, and other unspecified services-then use Windows administrator rights to remotely execute their ransomware and other processes.”
The jaw-dropping ransom dwarfs the amount the organization is demanding from victims, which the FBI has set at $74 million.
Once the victim is threatened, the ransomware will install and execute the CobaltStrike beacon, downloading two executable files at the same time. These two files allow the attacker to obtain the password and “write to the temporary (TMP) file of the infected system”.
“Once the TMP file is uploaded, the’krots.exe’ file will be deleted, and the TMP file will be executed on the infected network. The TMP file includes application programming interface (API) calls related to memory injection. Once executed, The FBI explained that after deleting the TMP file, the infected network started communicating with the malware repository reported on the Uniform Resource Locator (URL) teoresp.com in Montenegro.
“Furthermore, Cuban ransomware attackers used MimiKatz malware to steal credentials, and then used RDP to log in to the infected network host with a specific user account. After the RDP connection was completed, the Cuban ransomware attacker used the CobaltStrike server to communicate with the infected user’s account. Initially. One of the PowerShell script functions allocates memory space to run the base64-encoded payload. After this payload is loaded into memory, it can be used to access the remote command and control (C2) server, and then deploy the next ransomware file stage. Remote C2 The server is located at the malicious URL kurvalarva.com.”
The FBI included information about other attacks as well as samples of ransom letters and emails that the attackers usually contained.
Considering their level of activity relative to other more well-known ransomware organizations, ransomware experts are a little surprised by the amount of funding for the organization.
Emsisoft threat analyst Brett Callow said that the report illustrates how profitable the ransomware industry is, because the Cuban ransomware group is not in the top ten in terms of activity.
His data It shows that there are 105 Cuban ransomware submissions this year, while the Conti ransomware group has 653 submissions.
“This really highlights how much money ransomware can make. Cuba is a relatively small player, and if they make $49 million, other companies’ income will be much higher,” Carlo told ZDNet. “Of course, this is why ransomware is so difficult to deal with. The huge reward means that people think the risk is worth it.”
Since January, The organization operates a leak site and has become one of many ransomware organizations that threaten to release stolen data if the victim does not pay.
In April, the McAfee Advanced Threat Research Team released a detail report In the team, noticed many of the same things the FBI found in their analysis. McAfee researchers also discovered that although the organization has existed for many years, it has only recently begun to use its leaked website to blackmail victims.
The group usually targets companies in the United States, South America, and Europe. McAfee said the organization sold stolen data in some cases.
“Cuban ransomware is an older type of ransomware that has been active in the past few years. The McAfee report explains that the participants behind it have recently turned to leaking stolen data to increase its impact and revenue, as we have seen recently The other major ransomware activities are the same,” the McAfee report explained.
“In our analysis, we observed that the attacker had access to the network before infection and was able to gather specific information to plan the attack and have the greatest impact. The attacker used a set of PowerShell scripts to operate, allowing them to move laterally. Ransom note Mentioned that the data was leaked before it was encrypted.”
In February, the organization made waves when it attacked the payment processor Automatic Fund Transfer Services, forcing multiple states in the United States to issue notification letters for violations.First report Beep computerThe attack involved the theft of “financial documents, communications with bank employees, account changes, balance sheets and tax documents.” The incident also caused significant damage to the company’s services for several weeks.
According to Bleeping Computer, multiple states are concerned because they use the company to provide various services that allow them to access people’s names, addresses, phone numbers, license plate numbers, VIN numbers, credit card information, paper checks, and other Bill details.status California with many city exist Washington The state was affected and issued a notice of violation.
Allan Liska, a ransomware expert at Recorded Future, said that the FBI report also showed observability issues in the ransomware field.
“The Cuban ransomware website announced 28 victims, but the FBI knows that there are at least 49 victims. We only know 1/2 of their victims,” Liska said.
“Although the number of victims is small, the FBI claims that they made at least 43.9 million US dollars, which shows that ransomware is still extremely profitable for these threat actors. Their targets are often medium-sized organizations and are distributed around the world. Everywhere. I think this shows that we don’t know much.”
