CUBA RANSOMWARE (COLDRAW)
Introduction
Cuba ransomware, which is also known as COLDRAW, has been operational since January 2020. As of early November 2021, Cuba ransomware actors have compromised over 49 entities in five critical infrastructure sectors, including the financial, government, healthcare, manufacturing, and information technology sectors.
There is no decryptor for any of the active variants of the Cuba ransomware.
Modus Operandi
Initial access
The infection vectors used by the Cuba ransomware group include spam emails and Microsoft Exchange vulnerabilities. The spam campaigns are aimed at tricking the targets into enabling macros within the macro-laden Microsoft Office attachments or clicking on a malicious URL link that would download the Hancitor Trojan. The Cuba ransomware group has also been observed leveraging Microsoft Exchange vulnerabilities including ProxyShell and ProxyLogon since August 2021 as another way to gain initial access to their targets.
Installation
After the Hancitor Trojan is installed, it will gather as much user and system information as possible before attempting to send a query string based on the gathered information to a hardcoded list of command and control (C2) servers where it waits for a response to instruct it to attempt to download several additional tools via the command and control server to facilitate lateral movement and data extraction. The Cuba ransomware has also been observed deploying web shells to establish a foothold in the victim network.
Based on previous incidents, Cuba ransomware incidents have involved the use of credentials from valid accounts to escalate privileges. It has been observed that the Cuba ransomware group has used Mimikatz and WICKER to steal credentials for these escalations. It has also been observed that the group has manipulated existing Windows accounts or created their own Windows accounts on their victim’s machines before modifying file access permissions to allow for further privileges.
As well as using the stolen credentials for privilege escalation, the Cuba ransomware group use the stolen credentials for lateral movement through RDP of valid accounts. Other methods for lateral movement include SMB and PsExec which use the CobaltStrike BEACON that was installed during the initial access.
Encryption
To ensure that the target’s cybersecurity measures do not inhibit the attack, the Cuba ransomware group has been observed deploying the BURNTCIGAR utility using a batch script which terminates processes associated with endpoint security software to allow their ransomware and other tools to execute uninhibited. It has also been observed that the group has used leaked signing certs with the Cuba ransomware to bypass cybersecurity measures like anti-viruses.
To finalise the attack against their targets, the Cuba ransomware group will run PowerShell scripts to load the next stage of payloads for the installation of the Cuba ransomware and encryption of the target’s files and systems. Before the encryption of the target’s machines, the Cuba ransomware group attempts to steal files of importance. Finally, the group will run batch scripts which are used to map each drive to a network share. These newly created shares are then available for encryption.