Blog

Cuba Ransomware Group on a Roll

By
May 5, 2021
Share this post

https://profero.io/blog/cuba-ransomware-group-on-a-roll

At the end of 2020, our team made up of SecurityJoes and Profero incident responders, led an investigation into a complex attack in which hundreds of machines were encrypted, knocking the victim company offline completely. The threat actors behind the attack deployed the Cuba ransomware across the corporate network, using a mixture of PowerShell scripts, SystemBC, and Cobalt Strike to propagate it. Cuba Ransomware utilizes the symmetric ChaCha20 algorithm for encrypting files, and the asymmetric RSA algorithm for encrypting key information. As a result, the files could not be decrypted without the threat actor’s private RSA key. In the days following the attack, our incident responders investigated the modus operandi of the threat actors, their malicious software, and lateral movement tools. Simultaneously, we initiated negotiations with the attackers, who over the course of the investigation, we discovered are Russian speakers, due to a simple translation mistake on their part. Unfortunately, due to several essential missing links, we were unable to approximate the attackers’ location, and as a result, their whereabouts remain unknown. Negotiations concluded with the ransom being paid, and with the successful receipt of a decryptor. After we determined the decryptor contained no malicious code within and confirmed that it did in fact decrypt the encrypted files, we deployed it across the network, allowing operations to resume. The discovered ransomware binary was generic. It utilized implemented algorithms for encryption and stored strings in plaintext — however, it was wrapped with several layers of obfuscation and packers. Based on these factors, we believe the attackers are not state-sponsored, instead of operating simply as a threat group. They are fast-acting, and seem to prefer to communicate via email — they generally launch their attacks by setting up email accounts to initiate communication a few days in advance of deploying ransomware. Additionally, based on ransom notes we’ve discovered through pivoting, it’s clear the actors often use ProtonMail as their primary email host.

The full report non-gated version is available here

Share this post

Related posts

Read related insights

View all

AtomicStealer Spreading via Fake Apple Support Websites

Uncovering AtomicStealer campaign using a fake Apple Support website designed to trick users into running a malicious bash command, infecting their machine.

Read Now

The $5 Million Letter: When Physical Mail Becomes Digital Extortion

How sophisticated criminals are using old-school tactics and psychological warfare to extort businesses without ever touching their systems

Read Now

New Attack Vector - AI - Induced Destruction

The New Attack Vector No One Saw Coming, how "helpful" AI assistants are accidentally destroying production systems - and what we're doing about it.

Read Now
View all
Profero logo
Subscribe
By subscribing you agree to with our Privacy Policy and provide consent to receive updates from our company.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Solution
Get StartedUnder Attack?
About
CompanyCareers
Resources
BlogGithubTrust Portal
Contact
X/Twitter
LinkedIn
© 2024 Profero. All rights reserved.
Privacy PolicyTerms of Service
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
ManageDenyAccept