Last year, the Cuba ransomware group attacked 49 entities across five critical infrastructure sectors, aggregating over $43.9 million in ransom payments.

Those affected include (but are not limited to) organizations in the financial, government, healthcare, manufacturing, and information technology sectors. It’s worth noting that Cuba ransomware attackers have previously demanded as much as $74 million in ransom payments, an unheard of and sky-high sum.

After file encryption, the group threatens to release data if payment is not made promptly. As many as 28 entities have contended with data exposure on account of this group.

Given recent warnings pertaining to a possible wave of ransomware attacks in the US, could your organization represent the next target for these attackers?

Why it matters

Cyber forensic analysts believe that the group is based in Russia, a nation known for its wide network of state-backed cyber criminals.

The Cuba ransomware operation primarily targets organizations within the United States, although attacks have occurred elsewhere.

Map of Cuba Ransomware attack targets
Cuba ransomware attack target locations. Image courtesy of Bleeping Computer.

The new Cuba ransomware campaign

The Cuba ransomware operation has recently exploited Microsoft Exchange vulnerabilities to obtain access into corporate networks and to encrypt devices.

The Cuba ransomware gang is being tracked as UNC2596. Tracking teams also use the moniker COLDDRAW for the ransomware.

Microsoft Exchange server campaign, technical details

Experts have observed the Cuba ransomware gang leveraging Microsoft Exchange vulnerabilities for the purpose of deploying web shells, RATs and planting backdoors in target networks.

In addition, experts have identified the exploitation of ProxyShell and ProxyLogon as access points used by the Cuba ransomware group.

Newly created backdoors include Cobalt Strike or the NetSupport Manager remote access tool. The group also relies on their own ‘Bughatch’, ‘Wedgecut’, and ‘eck.exe’, and ‘Burntcigar’ tools.

  • Wedgecut: Arrives in the form of an executable labeled “check.exe,” which is a reconnaissance tool that enumerates the Active Directory via PowerShell.
  • Bughatch: This is a downloader that acquires PowerShell scripts and files from the command and control server. In order to avoid detection, it transports memory from a remote URL.
  • Burntcigar: This is a utility with the ability to terminate processes at the kernel level vis-à-vis exploitation of a flaw in an Avast driver.

Finally, a memory-only dropper -known as Termite- can fetch the above payloads and load them. However, experts have seen that multiple groups use this tool; it’s not exclusive to the Cuba ransomware group.

The readily available Mimikatz and Wicker tools enable threat actors to escalate privileges using stolen account credentials. Afterwards, they proceed with network reconnaissance using Wedgecut, followed by lateral movement using RDP, SMB, PsExec and Cobalt Strike.

The subsequent deployment sequence is Bughatch loaded by Termite, followed by Burntcigar, which lays the groundwork for data exfiltration and file encryption through the deactivation of security software.

For the exfiltration step, the Cuba ransomware attackers do not use any cloud services. Instead, they send everything onto their own private infrastructure.

Evolving operation

In May of 2021, Cuba ransomware allied itself with Hancitor malware spam operators in order to obtain access to corporate networks via DocuSign phishing emails.

Over time, the group has evolved to target public-facing services and vulnerabilities, including the Microsoft Exchange ProxyShell and ProxyLogon vulnerabilities.

This reprioritization makes attacks more powerful, but also easier to stop, as security updates that resolve the exploited issues have been available for several months at this point.

Once all Microsoft Exchange servers are patched, and there are no more valuable unpatched targets, the Cuba ransomware operators will likely shift their attention to other vulnerabilities.

In summary

Routine patching and maintenance are critical in the fight against cyber criminals. Apply available security updates as soon as vendors release them.

While proactive patching might sound like a snooze, taking the time to patch can prevent the most sophisticated of attackers from infiltrating systems.

For more information about Exchange server attacks, please see CyberTalk.org’s past coverage. 

Also, be sure to join us during Phishing Week, where you’ll find the latest phishing resources that can help protect you, your colleagues and your organization at-large. From Feb 28th – March 4th. Learn more here.