Cuba Ransomware Critical Networks in Ukraine
Category: Critical Infrastructure Security | Industries: Food & Beverage, Critical Infrastructure, Manufacturing, Military | Level: Tactical | Sources: Blackberry, BleepingComputer and CERT-UA
An alert issued by the Computer Emergency Response Team of Ukraine (CERT-UA) has warned Ukrainian organizations to be wary of attacks from Cuba ransomware against critical networks. Operators of Cuba ransomware were observed on October 21st, 2022, distributing phishing emails impersonating the Press Service of the General Staff of the Armed Forces of Ukraine. The malicious email contains a link to download a remote access trojan, labeled with the signature "ROMCOM RAT." The distribution of ROMCOM RAT has been tracked by the BlackBerry Research and Intelligence team, observing the deployment of "Advanced IP Scanner" packages for reconnaissance alongside the RAT. "Considering the use of the RomCom backdoor, as well as other features of the related files, we believe it is possible to associate the detected activity with the activity of the group Tropical Scorpius (Unit42) aka UNC2596 (Mandiant), which is responsible for the distribution of Cuba Ransomware," as assessed by CERT-UA. The victimology of the recent campaigns appears to target verticals in critical infrastructure, military, food & beverage, and manufacturing.
Anvilogic Use Cases:
- Suspicious File written to Disk
- Executable Process from Suspicious Folder
- Rundll32 Command Line