"Cuba Ransomware Nets Nearly $50m"
According to the FBI, threat actors behind the Cuba ransomware variant have already amassed $44m through targeting at least 49 victims. The FBI noted that the group had demanded at least $74m from its victims. These victims frequently come from critical infrastructure sectors like financial, government, healthcare, manufacturing, and IT. The FBI claimed that the Cuba ransomware is distributed through Hancitor malware, a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims’ networks. The FBI noted that Hancitor malware actors use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim’s network. Cuba ransomware actors use legitimate Windows services such as PowerShell, PsExec, and other unspecified services and then leverage Windows admin privileges to execute their ransomware and other processes remotely. Following a compromise, the ransomware will install and execute a CobaltStrike beacon as a service on the victim’s network via PowerShell. The FBI claimed that it also uses MimiKatz malware to steal RDP credentials and hijack user accounts. It’s believed that Cuba ransomware has been active since January 2020.