FBI says Cuba ransomware extorted over $60 million in ransom fees from more than 100 entities

Share post:

As of August 2022, the threat actors behind the Cuba (aka COLDDRAW) ransomware had received more than $60 million in ransom payments and had compromised over 100 entities worldwide.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a new advisory highlighting a “sharp increase in both the number of compromised US entities and the ransom amounts.”

According to the FBI and CISA, the ransomware gang has broadened its tactics, techniques, and procedures (TTPs) since the beginning of the year and has been linked to the RomCom Remote Access Trojan (RAT) and Industrial Spy ransomware.

It steals money by exploiting known security flaws, phishing, compromised credentials, and legitimate remote desktop protocol (RDP) tools, then distributes ransomware through Hancitor (aka Chanitor). Cuba has included the following flaws in its toolkit: CVE-2022-24521 (CVSS score: 7.8) (CVSS score: 7.8) – CVE-2020-1472: An elevation of privilege vulnerability in the Windows Common Log File System (CLFS) Driver – A vulnerability in the Netlogon remote protocol that allows for privilege elevation

The malware spread through phishing emails, stolen credentials, Microsoft Exchange exploits, or Remote Desktop Protocol (RDP) tools. Once inside their targets’ networks, Cuba ransomware threat actors use legitimate Windows services (e.g., PowerShell, PsExec, and various other unspecified services) to remotely deploy payloads and encrypt files with the “.cuba” extension.

The sources for this piece include an article in BleepingComputer.

Featured Tech Jobs


Related articles

Cyber Security Today, April 12, 2024 – A warning to Sisense customers, a new tactic for spreading the Raspberry Robin worm, and more

A warning to Sisense customers, a new tactic for spreading the Raspberry Robin worm, and more. Welcome to Cyber Security Today. It’s Friday April 12th, 2024. I’m Howard Solomon. Organizations that use products from business analytics provider Sisense [SI-SENSE] are being told to reset user login credentials and digital keys. The warning comes from the

LinkedIn introduces verification for recruiters to combat scams

LinkedIn announced today the launch of a new verification process for job recruiters, a move aimed at curtailing...

Cyber Security Today, Week in Review for week ending Friday, April 5, 2024

This episode features a discussion on a highly critical report on the hacking of Microsoft Exchange Online email accounts, a case study of a ransomware attack and the discovery of a years-long infiltration of an open source group to insert a backdoor

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways