The site the Cuba ransomware group uses to dump information stolen from victim companies.
A ransomware group called Cuba has managed to extort $43.9 million from victims, according to the FBI, which published a warning about the group’s attacks on Friday.
According to federal investigators, the hackers have compromised at least 49 entities involved in critical infrastructure sectors, including healthcare, manufacturing, IT, government, and finance.
The attacks arrive through a Windows-based malware program called Hancitor, which has been around since at least 2013 and can download additional malicious programs to a PC. Spam email campaigns are one way Hancitor can be delivered to infect a PC.
“Hancitor malware actors use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim’s network,” the FBI says in its alert.
The group will then manipulate legitimate tools on Windows systems, such as PowerShell and PsExec, to help spread the Cuba ransomware program across a victim’s network. The ransomware then encrypts files across a computer with the file extension “.cuba.” To decrypt the files, victims have to pay up in Bitcoin.
“Cuba ransomware actors have demanded at least US $74 million and received at least US $43.9 million in ransom payments,” the FBI says.
In addition, the group will also steal files from a victim’s network and threaten to dump them on a dark web website unless the ransom is paid, according to security firm McAfee. “Cuba ransomware has targeted several companies in North and South America as well as in Europe,” McAfee wrote in an April report.
Although the group uses the name Cuba, some security researchers in Israel suspect the ransomware gang is actually based in Russia, a country that refuses to extradite criminal hackers to the US.
The FBI issues the warning as the Biden administration has made stopping ransomware a national security priority. To fight back, the Justice Department is calling on victims to report a ransomware attack to the FBI as soon as possible, otherwise it may be too late for federal investigators to respond.
In regards to the Cuba ransomware group, the FBI said it’s “seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file.”
The agency’s alert also contains tips on how organizations can defend and detect the group’s attacks. They include using multi-factor authentication, strong unique passwords, and keeping all operating systems up-to-date with the latest security patches.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
