At the end of 2020, our team made up of SecurityJoes and Profero incident responders, led an investigation into a complex attack in which hundreds of machines were encrypted, knocking the victim company offline completely. The threat actors behind the attack deployed the Cuba ransomware across the corporate network, using a mixture of PowerShell scripts, SystemBC, and Cobalt Strike to propagate it. Cuba Ransomware utilizes the symmetric ChaCha20 algorithm for encrypting files, and the asymmetric RSA algorithm for encrypting key information. As a result, the files could not be decrypted without the threat actor’s private RSA key. In the days following the attack, our incident responders investigated the modus operandi of the threat actors, their malicious software, and lateral movement tools. Simultaneously, we initiated negotiations with the attackers, who over the course of the investigation, we discovered are Russian speakers, due to a simple translation mistake on their part. Unfortunately, due to several essential missing links, we were unable to approximate the attackers’ location, and as a result, their whereabouts remain unknown. Negotiations concluded with the ransom being paid, and with the successful receipt of a decryptor. After we determined the decryptor contained no malicious code within and confirmed that it did in fact decrypt the encrypted files, we deployed it across the network, allowing operations to resume. The discovered ransomware binary was generic. It utilized implemented algorithms for encryption and stored strings in plaintext — however, it was wrapped with several layers of obfuscation and packers. Based on these factors, we believe the attackers are not state-sponsored, instead of operating simply as a threat group. They are fast-acting, and seem to prefer to communicate via email — they generally launch their attacks by setting up email accounts to initiate communication a few days in advance of deploying ransomware. Additionally, based on ransom notes we’ve discovered through pivoting, it’s clear the actors often use ProtonMail as their primary email host.
The full report non-gated version is available here