Cuba

Cuba ransomware is a financially motivated ransomware and extortion threat group active since late 2020. It is also referred to in the provided content as Tropical Scorpius, ColdDraw, and Fidel. The group is described as a ransomware-as-a-service operation and has also been reported by Microsoft as an intrusion set that, since late 2022, showed espionage-related motivations in phishing campaigns affecting defense and government entities in Europe and North America. Reporting in the provided content also notes Google said the group pivoted from financially motivated crime to espionage. Cuba primarily targets organizations in North America and Europe, with victims globally. The content specifically mentions targeting of retailers, manufacturers, critical infrastructure organizations in the United States, an IT services company in Latin America, and defense and government entities in Europe and North America. Additional reporting notes activity against Western targets throughout 2023 and references attacks against Korean companies in 2022. The group uses double extortion, combining ransomware deployment with data exfiltration and public leak-site pressure to coerce cryptocurrency payments. The content states Cuba has accumulated over $100 million in ransom payments and uses bitcoin mixers to obfuscate payment origins. Tradecraft described in the content includes exploitation of public-facing Microsoft Exchange servers, including ProxyLogon and ProxyShell activity; abuse of Veeam Backup & Replication vulnerabilities, including CVE-2023-27532 and prior VBR flaws; exploitation of ZeroLogon (CVE-2020-1472); use of compromised credentials to establish RDP access; creation of hidden local or admin users and enabling RDP for persistence; credential theft with Mimikatz and Meterpreter; attempted privilege escalation with a Zerologon exploit tool; lateral movement with PsExec, WMI, PowerShell, and other LOLBins; and disabling security tools with DefenderControl and BYOVD techniques. The content attributes multiple malware families and tools to Cuba, including custom malware such as BUGHATCH, BURNTCIGAR, Veeamp, and Wedgecut, as well as use of SystemBC, Cobalt Strike, GoToAssist, NetSupport Manager, Mimikatz, Meterpreter, PowerShell, and PsExec. BUGHATCH is described as a downloader/backdoor associated with Cuba ransomware and UNC2596 reporting. BURNTCIGAR is described as a custom tool used to terminate security processes via vulnerable drivers. The group has also used BYOVD techniques involving vulnerable Avast anti-rootkit drivers, and one report notes a dropper installing the ApcHelper.sys kernel driver to stop security product processes. Defense evasion and anti-forensics behaviors mentioned in the content include disguising malware as legitimate software such as 360 Total Security Antivirus and OpenVPN, loading payloads into memory using PowerShell, and deleting artifacts with cmd.exe /c del. The content also notes Cuba has been linked to campaigns using file deletion and masquerading techniques. The provided reporting states evidence suggests Russian-speaking developers or members, but does not establish state sponsorship. The content also notes possible alias or subgroup identity changes, including a recent alias 'V Is Vendetta,' but this is less consistently referenced than Cuba/Tropical Scorpius.