FBI Warns That Cuba Ransomware Gang Made $44 Million After Compromising 49 Critical Infrastructure Entities in Five Sectors

The Federal Bureau of Investigation (FBI) warned that the Cuba ransomware gang earned more than $43.9 million in ransom after compromising at least 49 critical infrastructure entities.

Despite its name, cyber forensic experts believe that the Cuba ransomware gang is based in Russia, a country suspected of harboring most cybercriminals.

According to the FBI, Cuba ransomware gang victims include (but are not limited to) organizations in the financial, government, healthcare, manufacturing, and information technology sectors.

The FBI noted that Cuba ransomware actors had demanded up to $74 million in ransom payments.

Cuba ransomware gang partners with Hancitor malware operators

The FBI traced Cuba ransomware infection to Hancitor malware that leverages phishing campaigns, Microsoft Exchange vulnerabilities, compromised credentials, and brute-forcing remote desktop protocol (RDP) tools.

The malware gang adds compromised devices to a botnet to run a malware-as-a-service (MaaS) infrastructure and shares it with other ransomware groups.

“Cuba ransomware is distributed through Hancitor malware, a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims’ networks,” the FBI wrote.

McAfee noted the lack of any evidence in April to connect the two groups, suggesting that the collaboration was a new partnership.

FBI publishes the indicators of compromise and TPPs employed by the Cuba ransomware gang

The FBI released the indicators of compromise (IoCs) and the tactics, techniques, and procedures (TTPs) employed by the ransomware gang to assist organizations to defend against Cuba ransomware attacks.

According to the FBI flash alert, the Cuba ransomware gang employs legitimate Windows services such as PowerShell, PsExec, etc, and Windows admin privileges to execute their malware before dropping a Cobalt Strike beacon.

Additionally, the malware drops two additional payloads “pones.exe” to steal passwords and “krots.exe” to write to the temporary “TMP” file. The file contains API calls related to memory injection.

“One of the initial PowerShell script functions…