The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have jointly issued a warning against ongoing attacks by Cuban ransomware gangs. According to federal agencies, the attacker behind this group has compromised over 100 organizations as of August 2022.
According to the latest advisory, Cuban ransomware gangs took over $60 million out of $145 million demanded by over 100 successfully targeted organizations (up from $43 million in December 2021) I forced a way to get a profit equivalent to. This results in an average ransom of $600,000 from each victim.
“The number of U.S. businesses infected with Cuban ransomware has doubled since the release of the FBI flash in December 2021, resulting in an increase in ransom demands and payments,” joint FBI-CISA advisory read.
Cuban ransomware gangs typically exploit known vulnerabilities in commercial software to infiltrate systems and gain access. It also uses phishing campaigns, compromised credentials, and legitimate Remote Desktop Protocol (RDP) tools to drop stealers and distribute the Hancitor loader, which runs a remote access Trojan (RAT).
CISA said the attackers expanded their tactics, techniques and procedures (TTPs) in the spring of 2022. Ransomware Actor, RomCom Remote Access Trojan (RAT) Actor, Industrial Spy Ransomware Actor. “
RomCom RAT acts as a command and control (C2) server in the group’s operations. CVE-2022-24521 (Windows Common Log File System Driver, CVSS: Elevation of Privilege Vulnerability in 7.8) and CVE-2020-1472(also a privilege escalation bug in Netlogon remote protocol, CVSS: 10).
In particular, Cuba Ransomware evades detection by terminating security processes through ApcHelper.sys. ApcHelper.sys is a threat actor NVIDIA leak By the LAPSUS$ blackmail group.
Cuba ransomware kernel driver with stolen digital signature | | Source: Palo Alto Networks Unit 42
see next: Hacker Gang DEV-0569 Found Using Google Ads To Push Ransomware Payloads
A Cuban ransomware syndicate was previously known to sell stolen data on compromised sites, but the group now uses Industrial Spy’s online marketplace to trade stolen data. increase.
Cuban ransomware gangs have previously targeted five critical infrastructure sectors, including financial services, government facilities, healthcare and public health, critical manufacturing, and information technology. CISA noted that RomCom was used to target foreign military organizations, IT companies, food brokers and manufacturers.
In 2022, a Cuban ransomware gang linked to Russia.Targeting power, water systems and transportation in montenegro (August), and Ukrainian Government and Critical Infrastructure in October.
“Tropical Scorpius remains an active threat,” said Unit 42 of Palo Alto Networks, which tracks Cuban ransomware as Tropical Scorpius. “This group’s work suggests that an approach to tradecraft using a hybrid of more subtle tools, focused on low-level Windows internals for defense evasion and local privilege escalation, has been highly effective during intrusions. It reveals that it may be
“Combined with the well-adopted and successful splash of crimeware technology, this presents a unique challenge for defenders.”
Unit 42 advises organizations to apply their respective security updates to patch known vulnerabilities. The company also recommended implementing a security information and event management tool (SIEM) with advanced logging capabilities such as Sysmon, Windows command line logging, and PowerShell logging.
Phishing identification training goes a long way in stopping Cuban ransomware attacks.
For technical details on Cuban ransomware and related TTPs, see Unit 42 write up.
Let us know if you enjoyed reading this news LinkedIn, twitterAlso Facebook. I look forward to hearing from you.
Image Source: Shutterstock