The Federal Bureau of Investigation (FBI) has issued a cybersecurity alert for ransomware attacks that have compromised 49 entities in five critical infrastructure sectors, such as financial, government, healthcare, manufacturing, and information technology.
The FBI discovered the Cuba ransomware attacks in early November 2021.
“Cuba ransomware is distributed through Hancitor malware, a loader known for dropping or
executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto
victims’ networks. Hancitor malware actors use phishing emails, Microsoft Exchange
vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to
gain initial access to a victim’s network,” the FBI wrote in the flash alert.
“Subsequently, Cuba ransomware actors use legitimate Windows services—such as PowerShell, PsExec, and other unspecified services—and then leverage Windows Admin privileges to execute their ransomware and other processes remotely. Cuba ransomware actors compromise a victim network through the encryption of target files with the ‘.cuba’ extension.”
The FBI further noted the actors have demanded ransomware payments of at least US $74 million, of which they received at least US $43.9 million.
Attack technical details
After system compromise, the Cuba ransomware installs and then executes CobaltStrike beacon as a service via PowerShell. CobaltStrike is also known as a popular “dual use” tool used for exploitation (and post-exploitation) tasks and has been used in other cyberattacks such as Squirrelwaffle last month.
To add, Cuba actually installs two executables. One of those files “pones.exe” steals passwords. The second “krots.exe” (aka KPOT) allows the attackers to write to the victim’s system temporary (TMP) file, which is then executed in the compromised network. The TMP file leverages Application Programming Interface (API) calls that once executed communicates with a reported malware repository Uniform Resource Locator (URL) teoresp.com based in Montenegro.
Moreover, the Cuba actors also use MimiKatz malware to steal credentials and then log via RDP into compromised hosts via user account. Next, the attackers will use CobaltStrike server to
communicate with the compromised user account.
“One of the initial PowerShell script functions allocates memory space to run a base64-encoded payload. Once this payload is loaded into memory, it can be used to reach the remote command-and-control (C2) server and then deploy the next stage of files for the ransomware. The remote C2 server is located at the
malicious URL kurvalarva.com,” the FBI added.
Some of the FBI recommended mitigations include, but not limited to:
- Require strong, unique passwords on all accounts.
- Use multi-factor authentication (MFA).
- Keep all software patched and up to date.
- Remove unnecessary access to administrative shares.
- Use host-based firewalls.
- Segment networks to help prevent spread of malware.
- Use network monitoring tools to identify, detect, and investigate abnormal activity.
- Use time-based access for administrative account access.
- Disable command-line and scripting activities and permissions.
- Maintain offline backups of data.
- Ensure all backup data is encrypted and immutable.
Readers can check out the full Flash alert for more details to include indicators of compromise (IoC) and additional ransomware resources.
- FBI warns of increasing ransomware attacks against the Food and Agriculture sector
- CISA and FBI alert: DarkSide ransomware used in Colonial Pipeline cyberattack (and mitigation guidance) – updated
- FBI issues alert on OnePercent Group Ransomware attacks
- FBI identifies 16 Conti ransomware attacks targeting US healthcare and first responder networks
- BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities
- FBI warns of PYSA Ransomware attacks against schools in the U.S. and U.K.