Kaspersky today revealed the alarming activities of the Cuba ransomware group, which is endangering global businesses with undetectable malware.
The Cuba ransomware group is shaking the cybersecurity world with its new shenanigans! In a recent report that we were able to consult, Kaspersky reveals its latest discoveries concerning this simply formidable group. The latter deploys elusive malware and targets organizations on a global scale, putting companies in various sectors (oil companies, financial services, government agencies) at risk, in France and everywhere else. The month of December 2022 was also the starting point of the investigation, punctuated by the discovery of three suspicious files on a client’s server, which triggered a series of events which revealed the existence from the komar65 library, also known as Bughatch.
Sophisticated ransomware and a Cuba-Russia link
How does Bughatch, the sophisticated backdoor that cleverly hides in process memory, work? Specifically, it executes an embedded block of shellcode (a string of characters that represents executable binary code), interacting with the Windows API and connecting to a command and control (C2) server awaiting instructions. This backdoor is capable of downloading malware such as Cobalt Strike Beacon and Metasploit. The use of Veeamp suggests strong Cuban involvement in these attacks.
Let’s then talk about the term “komar”, found in the PDB file. This refers to the Russian word “mosquito”, which suggests a possible presence of Russian-speaking members within the Cuba group, which could make you smile. Further analysis by Kaspersky researchers revealed other modules used by Cuba to improve the functionality of the malware. One of these modules collects system information, transmitted to a server by HTTP POST requests.
Information in ➕ to fully understand:
Unsurprisingly, the gang encrypts victims’ files and demands a ransom in exchange for a decryption key. Exploitation of software vulnerabilities and social engineering are its main techniques for penetrating a network. It also uses compromised remote desktop connections for initial access. Cuba uses four models of extortion:
- One-time extortion: data encryption and ransom demand for decryption;
- Double extortion: data encryption and theft of sensitive information, with threat of publication in the event of non-payment;
- Triple Extortion: Added DDoS attack threat to expose victim’s infrastructure;
- Fourth rarer model: Maximum pressure by disclosing the breach to investors, shareholders and customers without requiring a DDoS attack.
Experts have identified new malware samples attributed to Cuba, evading advanced detection by some security vendors. These samples represent recent iterations of Burntcigar malware, which uses encryption to evade antivirus detection.
Malware is particularly difficult to detect, and that’s the whole problem
As it stands, cyber specialists stress the importance of staying at the forefront of threat reporting and intelligence as ransomware gangs like Cuba evolve rapidly and refine their tactics day by day. There’s no mystery: as the cyber threat landscape continues to evolve, knowledge is the best defense against these emerging cybercriminal groups.
The trouble is that Cuba, as a single-file ransomware strain, is particularly difficult to detect. In fact, it doesn’t need additional libraries, mind you. The Russian group targets a wide range of sectors, including retail, finance, logistics, government and healthcare agencies, and manufacturing, in various regions around the world. Among the countries concerned, we can cite France, certainly to a lesser extent than others such as Germany, the United States, Australia, China, the United Kingdom, and even Italy.
Cuba’s malicious agents use a combination of public and proprietary tools, regularly updating their arsenal. They use tactics like Bring Your Own Vulnerable Driver (BYOVD) and alter timestamps to confuse investigators. Their unique approach not only encrypts data, but also aims to extract sensitive information, making software development companies particularly vulnerable. And even though Cuba has been the center of attention for some time, this group remains active and constantly perfecting their techniques.
0