Dec 02, 2022Ravie LakshmananInformation Safety / Incident Response

The risk actors behind Cuba (aka COLDDRAW) ransomware have obtained greater than $60 million in ransom funds and compromised over 100 entities the world over as of August 2022.

In a brand new advisory shared by the U.S. Cybersecurity and Infrastructure Safety Company (CISA) and the Federal Bureau of Investigation (FBI), the companies highlighted a “sharp enhance in each the variety of compromised U.S. entities and the ransom quantities.”

The ransomware crew, often known as Tropical Scorpius, has been noticed concentrating on monetary companies, authorities amenities, healthcare, vital manufacturing, and IT sectors, whereas concurrently increasing its techniques to achieve preliminary entry and work together with breached networks.

It is value noting that regardless of the title “Cuba,” there isn’t a proof to counsel that the actors have any connection or affiliation with the island nation.

The entry level for the assaults entails the exploitation of recognized safety flaws, phishing, compromised credentials, and legit distant desktop protocol (RDP) instruments, adopted by distributing the ransomware through Hancitor (aka Chanitor).

A number of the flaws integrated by Cuba into its toolset are as follows –

• CVE-2022-24521 (CVSS rating: 7.8) – An elevation of privilege vulnerability in Home windows Widespread Log File System (CLFS) Driver
• CVE-2020-1472 (CVSS rating: 10.0) – An elevation of privilege vulnerability in Netlogon distant protocol (aka ZeroLogon)

“Along with deploying ransomware, the actors have used ‘double extortion’ strategies, by which they exfiltrate sufferer knowledge, and (1) demand a ransom fee to decrypt it and, (2) threaten to publicly launch it if a ransom fee will not be made,” CISA famous.

Cuba can be stated to share hyperlinks with the operators of RomCom RAT and one other ransomware household known as Industrial Spy, in response to latest findings from BlackBerry and Palo Alto Networks Unit 42.

The RomCom RAT is distributed via trojanized variations of professional software program comparable to SolarWinds Community Efficiency Monitor, KeePass, PDF Reader Professional, Superior IP Scanner, pdfFiller, and Veeam Backup & Replication which can be hosted on counterfeit lookalike web sites.

The advisory from CISA and FBI is the newest in a sequence of alerts the companies have issued about completely different ransomware strains comparable to MedusaLocker, Zeppelin, Vice Society, Daixin Crew, and Hive.