The Cuba ransomware operation has returned to common operations with a brand new model of its malware discovered utilized in current assaults.
Cuba ransomware’s exercise reached a peak in 2021 when it partnered with the Hancitor malware gang for preliminary entry. By the top of the yr, it had breached 49 vital infrastructure organizations in america.
This yr began much less spectacular for the ransomware gang, with few new victims. Nonetheless, Mandiant noticed indicators of tactical modifications and experimentation that indicated the group remains to be energetic.
Now, Pattern Micro analysts report seeing a resurgence in Cuba infections, beginning in March and persevering with robust till April 2022.
Cuba has listed three victims in April and one in Could on its Tor website. Nonetheless, the assaults that resulted within the publication of those recordsdata seemingly unfolded earlier.
Whereas these aren’t spectacular figures in comparison with different ransomware operations, “Cuba” is usually extra selective, hitting solely massive organizations.
New variant found
In late April, a brand new binary sampled by Pattern Micro included minor additions and modifications that make the malware extra harmful for focused entities. Extra importantly, although, it reveals that the operation remains to be alive and actively growing its encryptor.
The malware now terminates extra processes earlier than encryption, together with Outlook, MS Alternate, and MySQL. Ransomware encryptors terminate companies to forestall these functions from locking recordsdata and stopping them from being encrypted.
Secondly, the exclusion checklist has been expanded with extra directories and filetypes to be skipped throughout encryption. This helps preserve a working system after the assault and prevents execution loops that will lead to corrupted recordsdata that may’t be restored, leaving victims with no incentive to pay for a decrypter.
Thirdly, the gang has up to date its ransom notes, including quTox for dwell sufferer assist and stating that the menace actors will publish all stolen information on the Tor website if the calls for aren’t met inside three days.
The refinement of the Cuba ransomware variant can solely imply that the group will proceed to be a menace to organizations within the following months, primarily these positioned in North America.
Cuba ransomware stays safe right now, so there is not any out there decryptor that victims can use to recuperate their recordsdata totally free.
Due to this fact, taking common information backups, implementing community segmentation, and protecting all methods updated could be the most effective strategy to coping with the menace.