The FBI says Cuban ransomware gangs have compromised the networks of at least 49 critical U.S. infrastructure organizations.
A flash alert issued by the FBI reported: Cuban ransomware gang The networks of at least 49 US critical infrastructure organizations were compromised.
“As of early November 2021, the FBI confirmed that Cuban ransomware attackers had compromised at least 49 companies in five critical infrastructure sectors, including but not limited to financial, government, healthcare, manufacturing and information technology sectors. .” To read flash warning published by the Federal Bureau of Investigation.
Cuba ransomware has been active since at least January 2020. The operator has a data breach site, where data extracted from victims who refused to pay the ransom are posted. The ransomware uses the “.cuba” extension to encrypt files on the target system.
Cuba ransomware Hancitor Malware, is a commercial malware that works with ransomware gangs to gain initial access to a target network. Hancitor Downloader supports Pony and boat track. Ficker stealer as a loader and NetSupport RAT, on the compromised host.
The Hancitor malware is distributed via phishing emails, uses compromised credentials to exploit Microsoft Exchange vulnerabilities, or to gain initial access to a victim’s network through legitimate Remote Desktop Protocol (RDP) tools.
The report also found that Cuban ransomware operators exploited legitimate Windows services (eg PowerShell, PsExec) and other unspecified services to remotely execute malicious code and run ransomware.
According to the report, the Cuban ransomware operator received at least US$43.9 million of the requested ransom of US$74 million.
If the victim’s system is compromised, the ransomware installs and runs the CobaltStrike beacon as a service.
On the target’s network via PowerShell. When the ransomware is installed, it downloads two executable files containing the password stealers “pones.exe” and “krots.exe” (aka KPOT) that allow attackers to write to temporary (TMP) files on the infected system.
When the “TMP file is uploaded, the “krots.exe” file is deleted and the TMP file is executed on the compromised network. The TMP file contains application programming interface (API) calls related to memory injection that, when executed, are self-deleting from the system. TMP Upon file deletion, the compromised network initiates communication with the reported malware repository located at a Montenegro-based Uniform Resource Locator (URL).
teoresp.com.” Indicates a warning.
The FBI invites security experts to share information about Cuban ransomware activity, while the federal government seeks harmless samples of perimeter logs, Bitcoin wallet information, decryptor files and/or encrypted files showing communications with foreign IP addresses. I am looking for information like
The FBI does not recommend paying ransom as there is no guarantee that encrypted files will be recovered. Victims incentivize threat actors to engage in ransomware distribution by paying a ransom.
Alerts include breach and mitigation indicators.
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine