The name of this collective of hackers has nothing to do with their origin since they would be Russian criminals. These hackers have amassed enormous loot by preying on hundreds of victims in Europe and the United States.
It’s balance sheet time for the Cuba ransomware criminal hacker group. The FBI and CISA, the US cybersecurity agency, published a report on December 1 on the activity of the collective. Between December 2021 and August 2022, hackers attacked more than 100 entities around the world. Victims include government agencies, healthcare institutions, and finance companies. In France, they are known to have attacked the town hall of Chaville (Ile-de-France) last October, paralyzing the entire computer system of the town.
Cuba ransomware attacked numerous financial institutions in the United States as well as the government of Montenegro in August. Although the name of the collective can be confusing, the criminals have no connection with Havana, they would be of Russian origin, like the majority of ransomware groups. Perhaps a tribute to the Kremlin’s former Cold War ally?
The Montenegrin Interior Minister had even suggested that Cuba Ransomware would somehow be supported by the Russian government. The SecurityJoes and Profero research teams have also identified these hackers as originating from Russia.
In total, the hackers amassed more than 60 million dollars – 57.2 million euros – in ransom over nine months. The negotiations were effective since the collective would have demanded a total of more than 145 million dollars from its victims and that many States refuse to pay the least penny to the pirates. ” The number of US entities compromised by Cuba ransomware has doubled, and ransoms demanded and paid are on the rise “warned the two federal agencies.
The Double Extortion Technique
Cuba’s modus operandi is quite common among ransomware groups: they exploit known Windows vulnerabilities, phishing emails and the Hancitor Trojan to drop their malware. Active since 2019, their tool has undergone several updates, the last one dating from this summer. The collective uses double extortion techniques, like groups like Lockbit or Hive, first stealing the data, then encrypting it and demanding a sum of money in exchange for a decryption key. In case of refusal, the files are published on the darknet.
The FBI is looking for information on the group, the useful information would be communications with the group, foreign IP addresses or bitcoin wallets.
