"Ukraine Warns of Cuba Ransomware Campaign"

The Ukrainian authorities are warning of a new ransomware campaign against organizations in the war-torn country.  The Ukrainian CERT said it had discovered phishing emails spoofed to appear as if sent from the “Press Service of the General Staff of the Armed Forces of Ukraine.”  If recipients fall for the scam and click on the link contained in the email, they’ll be taken to a web page and urged to download a new version of PDF Reader.  Doing so will trigger a malicious executable.  It was noted that running the mentioned file will, as a result, decode and run the ‘rmtpak.dll’ file.  The latter is classified as RomCom malware.  RomCom was first uncovered by Palo Alto Networks back in August.  Palo Alto Networks linked the remote access Trojan (RAT) to a new Cuba ransomware affiliate dubbed “Tropical Scorpius,” noting that the malware enables threat actors to perform a range of post-intrusion functions, including data exfiltration.  The affiliate appears to have been a major driver of Cuba ransomware infections, accounting for nearly half of the victims exposed on the group’s leak site between 2019 and the summer of 2022.  According to Palo Alto, as of July 2022, Tropical Scorpius has used Cuba ransomware to impact 27 additional organizations across multiple vectors, such as professional and legal services, state and local government, manufacturing, transportation and logistics, wholesale and retail, real estate, financial services, healthcare, high technology, utilities and energy, construction, and education.  This would seem to suggest that the current campaign in Ukraine is primarily financially motivated rather than coordinated with Russian state goals in mind.

Infosecurity reports: "Ukraine Warns of Cuba Ransomware Campaign"