FBI: Cuba ransomware group hit 49 crucial infrastructure organizations
The FBI has launched a brand new discover concerning the Cuba ransomware, explaining that the group has attacked “49 entities in 5 crucial infrastructure sectors” and made no less than $43.9 million in ransom funds.
In a discover despatched out on Friday, the FBI stated the group is focusing on enterprises within the monetary, authorities, healthcare, manufacturing, and data expertise sectors whereas utilizing the Hancitor malware to achieve entry to Home windows techniques.
“Cuba ransomware is distributed by way of Hancitor malware, a loader identified for dropping or executing stealers, similar to Distant Entry Trojans (RATs) and different forms of ransomware, onto victims’ networks,” the discover defined, noting that the encrypted information have the “.cuba” extension.
“Hancitor malware actors use phishing emails, Microsoft Trade vulnerabilities, compromised credentials, or professional Distant Desktop Protocol (RDP) instruments to achieve preliminary entry to a sufferer’s community. Subsequently, Cuba ransomware actors use professional Home windows companies — similar to PowerShell, PsExec, and different unspecified companies — after which leverage Home windows Admin privileges to execute their ransomware and different processes remotely.”
The attention-popping ransom funds have been dwarfed by the amount of cash the group has demanded from victims, which the FBI pegged at $74 million.
As soon as a sufferer is compromised, the ransomware installs and executes a CobaltStrike beacon whereas two executable information are downloaded. The 2 information permit attackers to accumulate passwords and “write to the compromised system’s momentary (TMP) file.”
“As soon as the TMP file is uploaded, the ‘krots.exe’ file is deleted and the TMP file is executed within the compromised community. The TMP file consists of Utility Programming Interface (API) calls associated to reminiscence injection that, as soon as executed, deletes itself from the system. Upon deletion of the TMP file, the compromised community begins speaking with a reported malware repository situated at Montenegro-based Uniform Useful resource Locator (URL) teoresp.com,” the FBI defined.
“Additional, Cuba ransomware actors use MimiKatz malware to steal credentials, after which use RDP to log into the compromised community host with a particular consumer account. As soon as an RDP connection is full, the Cuba ransomware actors use the CobaltStrike server to speak with the compromised consumer account. One of many preliminary PowerShell script features allocates reminiscence area to run a base64-encoded payload. As soon as this payload is loaded into reminiscence, it may be used to achieve the distant command-and-control (C2) server after which deploy the following stage of information for the ransomware. The distant C2 server is situated on the malicious URL kurvalarva.com.”
The FBI included different assault info in addition to a pattern ransom be aware and electronic mail the attackers sometimes embody.
Ransomware consultants have been considerably shocked by the amount of cash the group made contemplating their stage of exercise relative to different extra outstanding ransomware teams.
Emsisoft risk analyst Brett Callow stated the report illustrated how profitable the ransomware trade is contemplating the Cuba ransomware group just isn’t of their prime ten listing when it comes to exercise.
His information reveals 105 Cuba ransomware submissions this yr in comparison with 653 for the Conti ransomware group.
“This actually highlights how a lot cash there may be to be comprised of ransomware. Cuba is a comparatively small participant and in the event that they made $49 million, different outfits could have made significantly extra,” Callow informed ZDNet. “And this, in fact, is why ransomware is such a tough drawback to take care of. The large rewards imply folks think about the dangers worthwhile.”
Since January, the group has operated a leak website, turning into one of many many ransomware teams that threatens to launch stolen information if victims don’t pay.
The McAfee Superior Menace Analysis Crew launched an in depth report on the group in April, noting lots of the identical issues the FBI discovered of their evaluation. McAfee researchers additionally discovered that whereas the group had been round for years, it solely just lately started extorting victims with its leak website.
The group sometimes targets corporations within the US, South America and Europe. McAfee stated that the group has bought stolen information in some situations.
“Cuba ransomware is an older ransomware that has been energetic for the previous few years. The actors behind it just lately switched to leaking the stolen information to extend its influence and income, very similar to we now have seen just lately with different main ransomware campaigns,” the McAfee report defined.
“In our evaluation, we noticed that the attackers had entry to the community earlier than the an infection and have been in a position to gather particular info in an effort to orchestrate the assault and have the best influence. The attackers function utilizing a set of PowerShell scripts that permits them to maneuver laterally. The ransom be aware mentions that the information was exfiltrated earlier than being encrypted.”
The group made waves in February once they attacked cost processor Automated Funds Switch Companies, forcing a number of US states to ship out breach notification letters. First reported by Bleeping Pc, the assault concerned the theft of “monetary paperwork, correspondence with financial institution workers, account actions, stability sheets and tax paperwork.” The incident additionally precipitated important injury to the corporate’s companies for weeks.
A number of states have been involved as a result of they used the corporate for quite a lot of companies that gave them entry to folks’s names, addresses, telephone numbers, license plate numbers, VIN numbers, bank card info, paper checks and different billing particulars, based on Bleeping Pc. The state of California and a number of cities in Washington state have been affected and despatched out breach notification letters.
Allan Liska, a ransomware professional with Recorded Future, stated the FBI report additionally confirmed the observability drawback with the ransomware panorama.
“There have been 28 victims printed to the Cuba extortion website, however the FBI knew about no less than 49 victims. We solely knew about half of of their victims,” Liska stated.
“Regardless of the small variety of victims, the FBI claiming they made no less than $43.9 million reveals that ransomware continues to be extraordinarily worthwhile for these risk actors. Their targets tended to be medium sized organizations and have been unfold all over the world. I believe it reveals there’s a lot we do not know.”
This text was initially printed by zdnet.com. Learn the unique article right here.