_{US Agencies Release Updates for Cuba Ransomware}

‍Category: Ransomware News | Industries: Critical Infrastructure, Financial, Government, Healthcare, Manufacturing, Technology |

‍Level: Tactical | Source: CISA

United States federal agencies, the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA), issued another entry for their #StopRansomware alert, featuring Cuba ransomware. This prolific threat group has compromised over 100 organizations worldwide and amassed $60 million in ransom payments. Despite carrying the name 'Cuba' the operators aren't assessed to be operating in connection to the Republic of Cuba. Verticals targeted by Cuba ransomware include critical infrastructure, financial, government, healthcare, manufacturing, and technology. Within their campaigns, the operators are known to often rely on Hancitor malware to drop information stealing malware or remote access trojans establishing their initial foothold. Notable aspects of the attacks have been the use of vulnerabilities for privilege escalation such as ZeroLogon and using tools to dump LSASS memory. Interestedly the operators used a signed kernel driver, using a certificate from NVIDIA, which was compromised by the LAPSUS$ data extortion group.

Anvilogic Scenario:

• Hancitor & Cuba Ransomware

Anvilogic Use Cases:

• ZeroLogon CVE-2020-1472
• Common LSASS Memory Dump Behavior
• Windows Defender Disabled Detection

‍