Meet The Cuba Ransomware Gang…. Yet Another Dangerous Threat Actor That You Need To Worry About

BlackBerry’s Threat Research and Intelligence team have details on a ransomware gang called Cuba that is using a number of new and old tools to go after US and Latin American targets:

Cuba ransomware is currently into the fourth year of its operation and shows no sign of slowing down. In the first half of 2023 alone, the operators behind Cuba ransomware were the perpetrators of several high-profile attacks across disparate industries.

The BlackBerry Threat Research and Intelligence team investigated a campaign by this threat group conducted in June that culminated in attacks on an organization within the critical infrastructure sector in the United States, and also on an IT integrator in Latin America. The Cuba threat group, believed to be of Russian origin, deployed a set of malicious tools that overlapped with previous campaigns associated with this attacker, as well as introducing new ones — including the first observed use of an exploit for the Veeam vulnerability CVE-2023-27532.Note that prior to the publication of this report, BlackBerry shared this information privately with the relevant authorities, to support security and resilience across organizations worldwide.

And who are they? BlackBerry can help you with that:

Cuba ransomware, also known as COLDDRAW ransomware, first appeared on the threat landscape in 2019 and has built up a relatively small but carefully selected list of victims in the years since. It is also known as Fidel ransomware, due to a characteristic marker placed at the beginning of all encrypted files. This file marker is used as an indicator to both the ransomware and its decoder that the file has been encrypted.

Despite its name and the Cuban nationalistic styling on its leak site, it unlikely has any connection or affiliation with the Republic of Cuba. It has previously been linked to a Russian-speaking threat actor by researchers at Profero due to some linguistic mistranslation details they uncovered, as well as the discovery of a 404 webpage containing Russian text on the threat actor’s own leak site.Based on the strings analysis of the code used in this campaign, we also found indications that the developer behind Cuba ransomware is Russian-speaking. That theory is further strengthened by the fact the ransomware automatically terminates its own execution on hosts that are set to the Russian language, or on those that have the Russian keyboard layout present.

Lovely. Another group of Russian threat actors to worry about. The BlackBerry report has a lot of detail about this group and how to not become one of their victims. It’s very much worth reading and implementing their recommendations.

Leave a Reply

%d bloggers like this: