HackerFeeds
All ransomware groups

cuba

103 tracked victims
·first seen 2021-02-03·last activity 2024-02-01

Group profile

The Cuba Ransomware, also known as Colddraw Ransomware, was first identified in the threat landscape in 2019 and built a relatively small but selected list of victims. The group is also known as Fidel Ransomware, due to a characteristic marker placed at the beginning of all encrypted files. This file marker is used as an indicator for the ransomware and its decoder that the file has been encrypted.<br> <br> Despite its name and the Cuban nationalist style on its leak site, it is difficult to assert any connection or affiliation with the Republic of Cuba. The group has been linked to a Russian-language threat actor by Profero researchers due to some details of incorrect translation they discovered, as well as the discovery of a 404 page containing text in Russian on the threat actor's own leak site.<br> <br> According to BlackBerry, based on the analysis of the code strings used in the campaign analyzed in 2023, there were indications that the developer behind the Cuba ransomware speaks Russian.<br> <br> The ransomware operators use a double extortion approach, and following the USA, in August 2022, it was believed that the Cuba ransomware group had compromised 101 entities, demanding $145 million in ransom payments and receiving up to $60 million.<br> <br> The group used a similar set of TTPs, with only a slight change each year, as they generally consist of LOLBins (executables that are part of the operating system and can be exploited to support an attack), exploits, off-the-shelf and custom malware, as well as intrusion tools like Cobalt Strike and Metasploit.<br> <br> In 2022, the group allegedly developed a relationship with operators of the Industrial Spy market, using their platform as a means of data leakage.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs

MITRE ATT&CK TTPs

TA0001

Initial Access

  • T1078.003Valid Accounts: Local Accounts

    Operators leveraged valid local accounts for initial access.

  • T1133External Remote Services

    Cuba ransomware operators used external remote services for initial access.

TA0002

Execution

  • T1059.001Command and Scripting Interpreter: PowerShell

    Cuba ransomware operators executed PowerShell commands during the attack.

  • T1059.003Command and Scripting Interpreter: Windows Command Shell

    The Windows Command Shell was used to execute various commands during the attack.

  • T1106Native API

    Cuba ransomware used native API calls to execute malicious behaviors.

  • T1204.002User Execution: Malicious File

    Malicious files were used to trick users into executing ransomware.

  • T1569.002System Services: Service Execution

    Cuba ransomware was executed using Windows system services.

TA0005

Defense Evasion

  • T1036.005Masquerading: Match Legitimate Name or Location

    The ransomware used legitimate names or locations to evade detection.

  • T1068Exploitation for Privilege Escalation

    Cuba ransomware exploited vulnerabilities to escalate privileges.

TA0006

Credential Access

  • T1021.002Remote Services: External Remote Services

    Remote services were used to gain access to systems during the attack.

  • T1212Exploitation for Credential Access

    Cuba ransomware operators exploited vulnerabilities to gain credential access.

TA0007

Discovery

  • T1016.001Network Configuration Discovery: Network Connection Enumeration

    Network connections were enumerated for discovery purposes.

  • T1018Remote System Discovery

    Remote systems were discovered using built-in utilities.

  • T1057Process Discovery

    Running processes were identified during the attack.

  • T1083File and Directory Discovery

    Files and directories were enumerated during the attack.

  • T1124Time Discovery

    Cuba ransomware operators performed time discovery on infected systems.

  • T1135Network Share Discovery

    Network shares were enumerated by the ransomware.

TA0008

Lateral Movement

  • T1333External Remote Services

    Operators utilized external remote services to move laterally within the network.

  • T1570Tool Transfer

    Cuba ransomware operators used tool transfer for lateral movement.

TA0011

Command and Control

  • T1071.001Application Layer Protocol: Web Protocols

    Web protocols such as HTTP and HTTPS were used for communication.

  • T1071.004Application Layer Protocol: DNS

    DNS was used as a protocol for command and control communication.

  • T1090.003Multi-hop Proxy

    Cuba ransomware operators used multi-hop proxies to obfuscate communication.

  • T1219Remote Desktop Protocol

    The operators used Remote Desktop Protocol (RDP) for command and control.

Recent victims

showing 50 of 103
DateWebsite / victimSectorCountry
2024-02-01
dms.com
dms-imagingdms.com
HealthcareFR
2024-01-18
deknudtframes.be
deknudtframes.bedeknudtframes.be
ManufacturingBE
2023-11-14
diagnostechs.com
diagnostechsdiagnostechs.com
Healthcare
2023-11-13
portadelaidefc.com.au
portadelaidefcportadelaidefc.com.au
Consumer ServicesAU
2023-11-07
panaya.com
panayapanaya.com
Technology
2023-11-07
P
prime-art
Consumer Services
2023-10-23
N
Newconcepttech
Technology
2023-10-10
M
mountstmarys
Education
2023-10-03
co.rock.wi.us
co.rock.wi.usco.rock.wi.us
Public SectorUS
2023-08-19
goldmedalbakery.com
goldmedalbakerygoldmedalbakery.com
Agriculture and Food Production
2023-07-31
hydrex.co.uk
hydrex.co.ukhydrex.co.uk
ConstructionGB
2023-07-31
txmplant.co.uk
txmplant.co.uktxmplant.co.uk
ConstructionGB
2023-07-11
G
gis4.addison-il
Public Sector
2023-05-23
inquirer.com
Inquirerinquirer.com
Consumer Services
2023-05-10
vdi.lt
Vdivdi.lt
Public SectorLT
2023-05-04
gihealthcare.com
Gihealthcaregihealthcare.com
Healthcare
2022-12-27
P
pu.edu.lb
Education
2022-12-20
S
Sae-a
Manufacturing
2022-12-12
2
2networkit
Technology
2022-12-01
L
Landaumedia
Business Services
2022-12-01
G
Generator-power
Energy
2022-12-01
B
Boss-inc
Manufacturing
2022-11-30
P
Patton
Not Found
2022-11-24
P
Pmc-group
Manufacturing
2022-11-09
W
waltersandwolf
Construction
2022-11-04
B
bfw
Not Found
2022-11-04
V
Ville-chaville
Public Sector
2022-11-04
M
Murphyfamilyventures
Not Found
2022-11-04
D
Dialogsas
Business Services
2022-11-04
U
usairports
Transportation/Logistics
2022-11-04
T
trant.co.uk
Not FoundGB
2022-11-04
T
the_rose_executive_team
Not Found
2022-11-04
T
technicote
Technology
2022-11-04
S
stm.com.tw
ManufacturingTW
2022-11-04
S
site-technology_
Technology
2022-11-04
S
schultheis-ins
Financial Services
2022-11-04
Q
quercus
Not Found
2022-11-04
O
otrcapital
Financial Services
2022-11-04
O
ohagin
Not Found
2022-11-04
N
nwdusa
Not Found
2022-11-04
N
ncmutuallife2
Financial Services
2022-11-04
M
meriplex
Business Services
2022-11-04
M
megaforce
Transportation/Logistics
2022-11-04
L
lycra
Manufacturing
2022-11-04
L
linkmfg
Manufacturing
2022-11-04
L
learning_resources
Education
2022-11-04
L
landofrost
Agriculture and Food Production
2022-11-04
I
innovairre
Technology
2022-11-04
G
get-integrated
Business Services
2022-11-04
G
gascaribe
Energy