Cuba ransomware accentuates its misdeeds. Armed with an arsenal of malware, hackers managed to extort more than $130 million from their victims. An investigation sheds light on the modus operandi of cybercriminals.
At the end of 2020, computer security researchers from antivirus publisher Kaspersky identified a new gang specializing in ransomware attacks, Cuba. In its early days, however, the Russian-speaking gang called itself Tropical Scorpius. Note that the group is also known under the pseudonyms Fidel, in reference to Fidel Castro, the Cuban dictator, ColdDraw, or V for Vendetta.
To turn a profit, Cuban hackers attack oil companies, financial services, government agencies, and healthcare providers, primarily in the United States, Canada, and Europe. In order to infiltrate their virus on targeted computers, hackers mainly exploit known software security vulnerabilities.
Cuba’s modus operandi Once arrived on the machine, the ransomware will encrypt all of the data. Unsurprisingly, they will quickly demand a ransom in cryptocurrencies in exchange for the decryption key. Unfortunately, cybercriminals don’t stop there. They rely on a strategy called “double extortion.” This involves stealing sensitive data likely to ruin a business before encrypting it. Hackers are mainly looking for financial data, such as bank statements, or even source code. The scammers then threaten the victim into making them public. This is a double punishment for the targeted firms, which are put under pressure by hackers.
With this strategy, very widespread in the criminal world, Cuba has extorted more than 3,600 bitcoins, or more than $130 million, since their first attacks. To evade authorities, hackers use a host of different blockchain addresses and cryptocurrency mixers. These, also called mixers, make cryptoasset transactions (almost) completely anonymous.
To maximize its profits, Cuba also offers its ransomware to budding criminals. In exchange for part of their earnings, a hacker can use the malware’s infrastructure and code to orchestrate attacks. Like DarkGate, Cuba is part of the famous trend of RaaS (Ransomware-as-a-Service), which is accompanied by an explosion of hacks.
New weapons for Cuban pirates Last December, Kaspersky became aware that Cuba was operating a sophisticated backdoor called Bughatch. Researchers first discovered three suspicious files on a client’s server. These files resulted in the komar65 library being loaded onto the server. This was nicknamed Bughatch by researchers from the Mandiant company, who have already looked into similar incidents. Note that “komar” means “mosquito” in Russian.
This backdoor, hidden in the process memory, will then execute a block of shellcode, that is to say, a malicious code fragment, in the allocated memory space with the help of the programming interface. Windows application. The software then connects to a remote command and control server. Through the server, hackers can order the installation of viruses such as Cobalt Strike Beacon, a widespread spyware, or Metasploit, a framework that allows exploiting vulnerabilities in computer systems. In the process, certain modules installed by the hackers collect information on the targeted system.
According to Kaspersky, Cuba has considerably enriched its arsenal by exploiting a host of new tools, including Bughatch and the Burntcigar malware, which appears in a new form. New samples of malware attributed to Cuba have indeed been identified by investigators. For Kaspersky, the group “remains dynamic and constantly refines its techniques.”