December 2, 2022

As of August 2022, the threat actors behind the Cuba (aka COLDDRAW) ransomware had received more than $60 million in ransom payments and had compromised over 100 entities worldwide.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a new advisory highlighting a “sharp increase in both the number of compromised US entities and the ransom amounts.”

According to the FBI and CISA, the ransomware gang has broadened its tactics, techniques, and procedures (TTPs) since the beginning of the year and has been linked to the RomCom Remote Access Trojan (RAT) and Industrial Spy ransomware.

It steals money by exploiting known security flaws, phishing, compromised credentials, and legitimate remote desktop protocol (RDP) tools, then distributes ransomware through Hancitor (aka Chanitor). Cuba has included the following flaws in its toolkit: CVE-2022-24521 (CVSS score: 7.8) (CVSS score: 7.8) – CVE-2020-1472: An elevation of privilege vulnerability in the Windows Common Log File System (CLFS) Driver – A vulnerability in the Netlogon remote protocol that allows for privilege elevation

The malware spread through phishing emails, stolen credentials, Microsoft Exchange exploits, or Remote Desktop Protocol (RDP) tools. Once inside their targets’ networks, Cuba ransomware threat actors use legitimate Windows services (e.g., PowerShell, PsExec, and various other unspecified services) to remotely deploy payloads and encrypt files with the “.cuba” extension.

The sources for this piece include an article in BleepingComputer.