FBI: Cuba ransomware group hit 49 critical infrastructure organizations

The FBI has released a new notice about the Cuba ransomware, explaining that the group has attacked “49 entities in five critical infrastructure sectors” and made at least $43.9 million in ransom payments.

In a notice sent out on Friday, the FBI said the group is targeting enterprises in the financial, government, healthcare, manufacturing, and information technology sectors while using the Hancitor malware to gain entry to Windows systems. 

“Cuba ransomware is distributed through Hancitor malware, a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims’ networks,” the notice explained, noting that the encrypted files have the “.cuba” extension. 

“Hancitor malware actors use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim’s network. Subsequently, Cuba ransomware actors use legitimate Windows services — such as PowerShell, PsExec, and other unspecified services — and then leverage Windows Admin privileges to execute their ransomware and other processes remotely.” 

The eye-popping ransom payments were dwarfed by the amount of money the group has demanded from victims, which the FBI pegged at $74 million. 

Once a victim is compromised, the ransomware installs and executes a CobaltStrike beacon

Read More: https://www.zdnet.com/article/fbi-cuba-ransomware-hit-49-critical-infrastructure-organizations/#ftag=RSSbaffb68