The Cuba ransomware group, also referred to as COLDDRAW, has reportedly amassed over $60 million in ransom payments while compromising more than 100 organizations globally, as of August 2022. This surge in activity prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) to issue an alert on the growing threat, emphasizing a notable increase in the number of U.S. organizations being targeted, as well as escalating ransom demands.
Cuba’s operations, which also utilize the alias Tropical Scorpius, have primarily focused on sectors like financial services, government entities, healthcare, and critical manufacturing. Their tactics have evolved to enhance initial access methods and engagement with compromised networks, making them a formidable threat. Despite their name, there is no evidence linking these actors to the island of Cuba.
According to CISA, the group often exploits existing security vulnerabilities, employs phishing strategies, and utilizes compromised credentials. Additionally, they have been observed leveraging legitimate remote desktop protocol (RDP) tools to infiltrate systems before deploying ransomware via Hancitor malware.
Among the vulnerabilities exploited by the Cuba group are CVE-2022-24521, which involves an elevation of privilege in the Windows Common Log File System Driver, and CVE-2020-1472, a critical vulnerability in the Netlogon remote protocol, also known as ZeroLogon. These weaknesses allow adversaries to gain administrative access, significantly broadening their operational reach.
In a concerning tactic, the Cuba group has employed “double extortion,” wherein they not only encrypt victim data but also exfiltrate sensitive information, demanding a ransom for decryption and threatening to publicize the data if their demands are not met. Their operations have been linked to additional malicious tools like RomCom RAT and another ransomware variant dubbed Industrial Spy, as evidenced by recent investigations by BlackBerry and Palo Alto Networks Unit 42.
RomCom RAT is distributed through compromised versions of legitimate software, which are hosted on counterfeit websites. Applications such as SolarWinds Network Performance Monitor and KeePass have been flagged as vectors for this malware, showcasing the diverse methods employed by adversaries to establish footholds within targeted environments.
The advisory issued by CISA and the FBI is part of a broader campaign addressing various ransomware strains, including MedusaLocker, Zeppelin, Vice Society, Daixin Team, and Hive. As cyber threats continue to evolve, businesses in the U.S. must remain vigilant, particularly in light of these rapidly deploying tactics and techniques.
The attack methods illustrated in this incident underscore the importance of robust cybersecurity practices. Employing frameworks such as the MITRE ATT&CK Matrix can guide organizations in understanding potential adversary tactics, including initial access through phishing or exploitation of known vulnerabilities, as well as subsequent actions aimed at persistence and privilege escalation.
