On Dec. 1, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) regarding Cuba ransomware that is targeting critical infrastructure sectors, including healthcare. The advisory notes that the ransomware is known as “Cuba ransomware,” but there is no indication Cuba ransomware actors have any affiliation with the Republic of Cuba.
The advisory explains that since the release of “FBI Flash: Indicators of Compromise Associated with Cuba Ransomware” in December of 2021, FBI has seen Cuba ransomware actors targeting five critical infrastructure sectors: financial services, government facilities, healthcare and public health, critical manufacturing, and information technology. Since August of this year, FBI has detected that Cuba ransomware has compromised more than 100 entities globally and demanded more than $145 million (USD) and received more than $60 million (USD) in ransom payments.
Cuba ransomware actors use techniques including known vulnerabilities in commercial software, phishing campaigns, compromised credentials and legitimate remote desktop protocol (RDP) tools.
The advisory adds that “Since spring 2022, third-party and open-source reports have identified an apparent link between Cuba ransomware actors, RomCom RAT actors, and Industrial Spy ransomware actors:
- According to Palo Alto Networks Unit 42, Cuba ransomware actors began using RomCom malware, a custom RAT, for command and control.
- Cuba ransomware actors may also be leveraging Industrial Spy ransomware. According to third-party reporting, suspected Cuba ransomware actors compromised a foreign healthcare company. The threat actors deployed Industrial Spy ransomware, which shares distinct similarities in configuration to Cuba ransomware. Before deploying the ransomware, the actors moved laterally using Impacket and deployed the RomCom RAT and Meterpreter Reverse Shell HTTP/HTTPS proxy via a C2 server.
- Cuba ransomware actors initially used their leak site to sell stolen data; however, around May 2022, the actors began selling their data on Industrial Spy’s online market for selling stolen data.”
Further, “RomCom actors have targeted foreign military organizations, IT companies, food brokers and manufacturers. The actors copied legitimate HTML code from public-facing webpages, modified the code, and then incorporated it in spoofed domains, which allowed the RomCom actors to:
- Host counterfeit Trojanized applications for:
- SolarWinds Network Performance Monitor (NPM),
- KeePass password manager,
- PDF Reader Pro, (by PDF Technologies, Inc., not an Adobe Acrobat or Reader product), and
- Advanced IP Scanner software
- Deploy the RomCom RAT as the final stage.”
FBI and CISA recommend a number of mitigations to limit potential impact of Cuba ransomware, including:
- Implementing a recovery plan to maintain and retain multiple copies of sensitive or propriety data and servers in a separate physical, segmented, and secure location
- Requiring accounts with password logins to comply with National Institute for Standards and Technology (NIST) standards for passwords
- Requiring administrator credentials to download software
- Requiring multifactor authentication for all services, to the extent possible
- Keeping all operating systems, software, and firmware up to date
- Segmenting networks to prevent ransomware spread
- Installing and regularly updating real time detection for antivirus software on all hosts
- Disabling hyperlinks in incoming emails
- Maintaining offline backups of data
