Cuba Ransomware

Cuba is often dropped via first-stage Hancitor loader malware, which gains access through phishing attacks, exposed vulnerabilities, or stolen or brute-forced RDP credentials. To lock targets out of their files, Cuba uses the symmetric encryption algorithm ChaCha20 and then appends and encrypts the decryption key using an RSA public key for which they hold the matching private key.

The various tools, tactics and techniques observed in Cuba attacks are noteworthy. Here is a non-exhaustive list of Cuba’s tactics and techniques:

• Communicating to command and control (C2) servers via SystemBC malware that uses SOCKS5 connections
• Leveraging Microsoft Exchange vulnerabilities to penetrate network mail servers
• Moving laterally through a network using a PowerShell, SystemBC, Mimikatz, Cobalt Strike platform, and built-in tools such as cmd.exe
• Use PSEXEC to transfer the payloads to newly compromised systems
• Removing network share access controls
• Creating new users on the compromised system for persistent access 
• Altering firewall rules to allow port 3389 for RDP connections
• Disabling Endpoint Detection and Response (EDR) and antivirus security products
• Exploiting Windows Common Log File System (CLFS) driver to steal admin credentials
• Using custom downloader BUGHATCH, antimlaware killer BURNTCIGAR, and Metasploit frameworks to attack systems
• Evading defenses and bypassing security using the Bring Your Own Vulnerable Driver (BYOVD) technique
• Exploiting the vulnerabilitiy CVE-2023-27532 via the Veeam Backup Service to access stored credentials

Cuba ransomware uses multiple attack techniques, so a Defense in Depth approach is advised for combatting this vicious adversary. Defensive measures that can be employed to combat Cuba ransomware attacks include: 

• Password policies mandating strong keyspace and enabling multi-factor authentication for all critical services
• Modern Identity and Access Management (IAM) tools 
• Advanced endpoint security products on all endpoints to detect indicators of compromise (IOC) and take defensive action to block malicious payloads from executing
• Keeping all operating systems and software up to date and conducting regular vulnerability scanning and penetration testing of all network infrastructure, remediating any discovered vulnerabilities as soon as possible
• Implementing a principle of least privilege approach to security, including removing unnecessary access to administrative shares and other services
• Segmented networks and NIPS and NIDS to monitor network activity for anomaly behavior
• Hardening all endpoints, including employee workstations and servers, by disabling command-line and scripting activities and permissions and unrequired services to reduce the potential of a living off the land (LOTL)-type attacks
• A solid backup strategy that includes offline, encrypted, and immutable backups of data