Alert (AA22-335A) #StopRansomware: Cuba Ransomware

Read Time:1 Minute, 58 Second

FortiGuard Labs is aware of that the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory for Cuba ransomware as part of their #StopRansomware effort. The advisory states that the number of organizations in the United States that were victimized by Cuba ransomware has increased since December 2021. Why is this Significant?This is significant because Cuba ransomware has reportedly victimized over 100 organizations across multiple industries including, but not limited to – infrastructure in the U.S. since December 2021 and extorted large sums of money from the victims.What is Cuba Ransomware?Cuba is a ransomware strain that has been around since at least 2019 and has reportedly victimized more than 100 organizations globally. According to the advisory, infection vectors used by the Cuba threat actors include emails, use of stolen credentials, RDP (Remote Desktop Protocol) session hijacking, exploitation of vulnerabilities such as CVE-2022-24521 and CVE-2020-1472. Also, the use of Hancitor malware was reportedly observed to deploy Cuba ransomware after victims’ network were breached.Once Cuba ransomware is deployed, it encrypts files on compromised machines, adds a “.cuba” file extension to the affected files, and drops a ransom note named “!! READ ME !!.txt”. The primary contact channel is Tox (a peer-to-peer instant messaging protocol). An alternative e-mail address is typically included in the ransom notes.FortiGuard Labs previously released a ransomware roundup blog on Cuba ransomware on August 18, 2022. See the Appendix for a link to “Alert (AA22-335A) #StopRansomware: Cuba Ransomware (CISA)”.What is the Status of Protection?FortiGuard Labs provides the following AV signatures for Cuba ransomware:W32/Agent.FEDD!trW32/Filecoder.OAE!trW32/Filecoder.OAE!tr.ransomW32/Filecoder.OHL!trW32/GenKryptik.EMOA!trW32/Injector.EQGY!trW32/Kryptik.HFMU!trW32/Kryptik.HGXH!trW32/PossibleThreatSome of the available files listed in the IOC section of the CISA advisory are detected by the following AV signatures:W32/Agent.ADBQ!trW64/Agent.CP!tr.dldrW32/GenKryptik.FSCS!trW32/PossibleThreatPossibleThreatPossibleThreat.PALLAS.HFortiGuard Labs provides the following IPS coverage for the vulnerabilities reportedly leveraged by Cuba ransomware threat actors:MS.Windows.CVE-2022-24521.Privilege.Elevation (CVE-2022-24521)MS.Windows.Server.Netlogon.Elevation.of.Privilege (CVE-2020-1472)FortiEDR protects customers from Cuba ransomware. See the Appendix for a link to “Threat Coverage: How FortiEDR protects against Cuba ransomware”.

Europol Creates “Violence-as-a-Service” Taskforce

Windscribe Acquitted on Charges of Not Collecting Users’ Data

Uyghur Diaspora Group Targeted with Remote Surveillance Malware

Half of Mobile Devices Run Outdated Operating Systems

Researchers Note 16.7% Increase in Automated Scanning Activity

2025 Cyber Resilience Research Discovers Speed of AI Advancing Emerging Attack Types

ISACA Highlights Critical Lack of Quantum Threat Mitigation Strategies

FBI Asks for Help Tracking Chinese Salt Typhoon Actors

Government Set to Ban SIM Farms in European First

Alert (AA22-335A) #StopRansomware: Cuba Ransomware

USN-7455-5: Linux kernel (AWS) vulnerabilities

USN-7469-2: Apache Tomcat vulnerability

USN-7469-1: Apache Traffic Server vulnerability

USN-7468-1: Linux kernel (Azure, N-Series) vulnerabilities

USN-7459-2: Linux kernel (GCP) vulnerabilities

USN-7467-1: libxml2 vulnerabilities