{"id":6702,"date":"2021-11-09T14:22:57","date_gmt":"2021-11-09T05:22:57","guid":{"rendered":"https:\/\/cyberenso.jp\/?page_id=6702"},"modified":"2022-06-09T14:33:30","modified_gmt":"2022-06-09T05:33:30","slug":"cuba-ransomware","status":"publish","type":"page","link":"https:\/\/cyberenso.jp\/en\/types-of-ransomware\/cuba-ransomware\/","title":{"rendered":"Cuba Ransomware"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-page\" data-elementor-id=\"6702\" class=\"elementor elementor-6702\" data-elementor-post-type=\"page\">\n\t\t\t\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-1e53f1e elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"1e53f1e\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-18b92f9\" data-id=\"18b92f9\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-6e0faed elementor-invisible elementor-widget elementor-widget-heading\" data-id=\"6e0faed\" data-element_type=\"widget\" data-settings=\"{&quot;_animation&quot;:&quot;bounceIn&quot;}\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-xl\">CUBA RANSOMWARE (COLDRAW)<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-section elementor-inner-section elementor-element elementor-element-5f6cd85 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"5f6cd85\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-inner-column elementor-element elementor-element-e119eda\" data-id=\"e119eda\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c74f0af elementor-widget elementor-widget-image\" data-id=\"c74f0af\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/i0.wp.com\/cyberenso.jp\/wp-content\/uploads\/2022\/06\/Picture1.png?fit=601%2C343&amp;ssl=1\" title=\"Picture1\" alt=\"Picture1\" loading=\"lazy\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-inner-section elementor-element elementor-element-6bf1249 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"6bf1249\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-0440275\" data-id=\"0440275\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a321bb9 elementor-widget elementor-widget-text-editor\" data-id=\"a321bb9\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<h4 style=\"text-align: left;\"><strong><span style=\"color: #444444;\">Introduction<\/span><\/strong><\/h4><p style=\"text-align: left;\">Cuba ransomware, which is also known as COLDRAW, has been operational since January 2020. As of early November 2021, Cuba ransomware actors have compromised over 49 entities in five critical infrastructure sectors, including the financial, government, healthcare, manufacturing, and information technology sectors.<br \/>There is no decryptor for any of the active variants of the Cuba ransomware. <\/p><h3 style=\"text-align: left;\"><strong><span style=\"color: #444444;\">Modus Operandi<\/span><\/strong><\/h3><h5 style=\"text-align: left;\"><strong><span style=\"color: #444444;\">Initial access<\/span><\/strong><\/h5><p>The infection vectors used by the Cuba ransomware group include spam emails and Microsoft Exchange vulnerabilities. The spam campaigns are aimed at tricking the targets into enabling macros within the macro-laden Microsoft Office attachments or clicking on a malicious URL link that would download the Hancitor Trojan. The Cuba ransomware group has also been observed leveraging Microsoft Exchange vulnerabilities including ProxyShell and ProxyLogon since August 2021 as another way to gain initial access to their targets.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-d349fce\" data-id=\"d349fce\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-2ce9e0b elementor-widget elementor-widget-text-editor\" data-id=\"2ce9e0b\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<h5><strong>Installation<\/strong><\/h5><p>After the Hancitor Trojan is installed, it will gather as much user and system information as possible before attempting to send a query string based on the gathered information to a hardcoded list of command and control (C2) servers where it waits for a response to instruct it to attempt to download several additional tools via the command and control server to facilitate lateral movement and data extraction. The Cuba ransomware has also been observed deploying web shells to establish a foothold in the victim network.<br \/>Based on previous incidents, Cuba ransomware incidents have involved the use of credentials from valid accounts to escalate privileges. It has been observed that the Cuba ransomware group has used Mimikatz and WICKER to steal credentials for these escalations. It has also been observed that the group has manipulated existing Windows accounts or created their own Windows accounts on their victim\u2019s machines before modifying file access permissions to allow for further privileges. <br \/>As well as using the stolen credentials for privilege escalation, the Cuba ransomware group use the stolen credentials for lateral movement through RDP of valid accounts. Other methods for lateral movement include SMB and PsExec which use the CobaltStrike BEACON that was installed during the initial access.<\/p><h5><strong>Encryption<\/strong><\/h5><p>To ensure that the target&#8217;s cybersecurity measures do not inhibit the attack, the Cuba ransomware group has been observed deploying the BURNTCIGAR utility using a batch script which terminates processes associated with endpoint security software to allow their ransomware and other tools to execute uninhibited. It has also been observed that the group has used leaked signing certs with the Cuba ransomware to bypass cybersecurity measures like anti-viruses. <br \/>To finalise the attack against their targets, the Cuba ransomware group will run PowerShell scripts to load the next stage of payloads for the installation of the Cuba ransomware and encryption of the target\u2019s files and systems. Before the encryption of the target\u2019s machines, the Cuba ransomware group attempts to steal files of importance. Finally, the group will run batch scripts which are used to map each drive to a network share. These newly created shares are then available for encryption.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>CUBA RANSOMWARE (COLDRAW) Introduction Cuba ransomware, which is also known as COLDRAW, has been operational since January 2020. As of early November 2021, Cuba ransomware actors have compromised over 49 entities in five critical infrastructure sectors, including the financial, government, healthcare, manufacturing, and information technology sectors. There is no decryptor for any of the active variants of the Cuba ransomware.<span class=\"excerpt-hellip\"> [\u2026]<\/span><\/p>\n","protected":false},"author":1,"featured_media":6704,"parent":3201,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-6702","page","type-page","status-publish","has-post-thumbnail","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/pages\/6702"}],"collection":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/comments?post=6702"}],"version-history":[{"count":6,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/pages\/6702\/revisions"}],"predecessor-version":[{"id":6710,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/pages\/6702\/revisions\/6710"}],"up":[{"embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/pages\/3201"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/media\/6704"}],"wp:attachment":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/media?parent=6702"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}