FBI releases flash alert against the Cuba ransomware gang

On Thursday 2^nd of December 2021, the United States Federal Bureau of Investigation (FBI) released a joint TLP:WHITE flash alert which revealed the Cuba ransomware gang have compromised at least 49 organizations in five critical infrastructure sectors, including the financial, government, healthcare, manufacturing, and information technology sectors. The FBI also revealed that the Cuba ransomware variant is commonly distributed through the Hancitor malware which is a loader known for dropping and executing other malware and tools used by the threat actors. The threat actors behind the Hancitor malware use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim’s network. Furthermore, the Cuba ransomware gang use legitimate Windows services to gain and leverage Windows Admin privileges to execute their ransomware and other processes remotely.

This flash alert was released in coordination with the U.S. Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA) to provide key cyber threat information to help security professionals and organisations to detect and counter ransomware attack attempts from the Cuba ransomware gang. The alert revealed that the Cuba ransomware gang have demanded at least $74 million and received up to the estimated amount of $43.9 million in ransom payments.

In the alert, the FBI asked for any information related to the Cuba ransomware gang and their activities to be shared with them. This information can include “boundary logs showing communication to and from foreign IP addresses, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file.”