FBI says Cuba ransomware extorted over $60 million in ransom fees from more than 100 entities

Share post:

As of August 2022, the threat actors behind the Cuba (aka COLDDRAW) ransomware had received more than $60 million in ransom payments and had compromised over 100 entities worldwide.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a new advisory highlighting a “sharp increase in both the number of compromised US entities and the ransom amounts.”

According to the FBI and CISA, the ransomware gang has broadened its tactics, techniques, and procedures (TTPs) since the beginning of the year and has been linked to the RomCom Remote Access Trojan (RAT) and Industrial Spy ransomware.

It steals money by exploiting known security flaws, phishing, compromised credentials, and legitimate remote desktop protocol (RDP) tools, then distributes ransomware through Hancitor (aka Chanitor). Cuba has included the following flaws in its toolkit: CVE-2022-24521 (CVSS score: 7.8) (CVSS score: 7.8) – CVE-2020-1472: An elevation of privilege vulnerability in the Windows Common Log File System (CLFS) Driver – A vulnerability in the Netlogon remote protocol that allows for privilege elevation

The malware spread through phishing emails, stolen credentials, Microsoft Exchange exploits, or Remote Desktop Protocol (RDP) tools. Once inside their targets’ networks, Cuba ransomware threat actors use legitimate Windows services (e.g., PowerShell, PsExec, and various other unspecified services) to remotely deploy payloads and encrypt files with the “.cuba” extension.

The sources for this piece include an article in BleepingComputer.

Featured Tech Jobs



Related articles

Kaspersky uncovers malware targeting iPhones running iOS 15.7 and below

Kaspersky has uncovered a sophisticated malware campaign specifically designed to infect iPhones running up to iOS 15.7 through...

WordPress fixes critical Jetpack plugin vulnerability

WordPress has addressed a critical flaw discovered in the Jetpack plugin, which had the potential to enable authors...

Akamai discovers Dark Frost botnet exploiting gaming platforms

Akamai's security intelligence response team recently has alerted the general public of Dark Frost, a botnet that has...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways