"Cuba Ransomware Actors Pocket $60m"
The US Cybersecurity and Infrastructure Security Agency (CISA) has warned of the continued threat posed by the Cuba ransomware variant, which has made its affiliates and developers $60m as of August. CISA revealed in a new alert that the ransomware had compromised at least 100 entities worldwide, having doubled its victim count in the US since last December. CISA noted that the group and its affiliates mainly target financial services, government, healthcare, critical manufacturing, and IT companies. CISA stated that, disappointingly, ransoms are increasingly being paid. The group has demanded $145m to date in recorded attacks. CISA said that threat actors use one of several tried-and-tested techniques to gain initial access: phishing campaigns, vulnerability exploitation, compromised credentials, and remote desktop protocol (RDP) tools. Once inside, the ransomware itself is distributed via a loader known as “Hancitor.” CISA noted, however, since spring this year, the group has modified some of its tactics, techniques, and procedures (TTPs). CISA stated that it uses a dropper that writes a kernel driver to the file system called ApcHelper.sys, in order to terminate any security products running on victims’ machines. It also exploits CVE-2022-24521 to steal system tokens and elevate privileges and CVE-2020-1472 to gain domain administrator privileges.