Alert (AA22-335A) Cuba Ransomware

Since the release of FBI Flash: Indicators of Compromise Associated with Cuba Ransomware, FBI has observed Cuba ransomware actors continuing to target U.S.
entities in the following five critical infrastructure sectors: Financial Services, Government Facilities, Healthcare and Public Health, Critical Manufacturing, and Information Technology.
As of August 2022, FBI has identified that Cuba ransomware actors have:

Compromised over 100 entities worldwide.
Demanded over 145 million U.S.
Dollars (USD) and received over 60 million USD in ransom payments.

Cuba Ransomware Actors’ Tactics, Techniques, and Procedures

As previously reported by FBI, Cuba ransomware actors have leveraged the following techniques to gain initial access into dozens of entities in multiple critical infrastructure sectors:

Known vulnerabilities in commercial software [T1190]
Phishing campaigns [T1566]
Compromised credentials [T1078]
Legitimate remote desktop protocol (RDP) tools [T1563.002]
After gaining initial access, the actors distributed Cuba ransomware on compromised systems through Hancitor—a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims’ networks.

Since spring 2022, Cuba ransomware actors have modified their TTPs and tools to interact with compromised networks and extort payments from victims.

Cuba ransomware actors have exploited known vulnerabilities and weaknesses and have used tools to elevate privileges on compromised systems.
According to Palo Alto Networks Unit 42, Cuba ransomware actors have:

Exploited CVE-2022-24521 in the Windows Common Log File System (CLFS) driver to steal system tokens and elevate privileges.
Used a PowerShell script to identify and target service accounts for their associated Active Directory Kerberos ticket.
The actors then collected and cracked the Kerberos tickets offline via Kerberoasting [T1558.003].
Used a tool, called KerberCache, to extract cached Kerberos tickets from a host’s Local Security Authority Server Service (LSASS) memory [T1003.001].
Used a tool to exploit CVE-2020-1472 (also known as “ZeroLogon”) to gain Domain Administrative privileges [T1068].
This tool and its intrusion attempts have been reportedly related to Hancitor and Qbot.

According to Palo Alto Networks Unit 42, Cuba ransomware actors use tools to evade detection while moving laterally through compromised environments before executing Cuba ransomware.
Specifically, the actors, “leveraged a dropper that writes a kernel driver to the file system called ApcHelper.sys.
This targets and terminates security products.