A new binary sampled by Trend Micro included minor additions and changes that make the malware more dangerous. More importantly, though, it shows that the operation is still alive and actively developing its encryptor.
Cuba threat actors have used several methods for lateral movement, including RDP, SMB, and PsExec, “frequently using BEACON to facilitate this movement,” Mandiant said. Then they deploy various backdoors, including NetSupport.
The malware now terminates more processes before encryption, including Outlook, MS Exchange, and MySQL. Ransomware encryptors terminate services to prevent those applications from locking files and preventing them from being encrypted.
Secondly, the exclusion list has been expanded with more directories and filetypes to be skipped during encryption. This helps maintain a working system after the attack and prevents execution loops that may result in corrupted files that can’t be restored, leaving victims with no incentive to pay for a decrypter.
Thirdly, the gang has updated its ransom notes, adding quTox for live victim support and stating that the threat actors will publish all stolen data on the Tor site if the demands aren’t met within three days.
Defensive Recommendations for Cuba ransomware
- Enable Elastic Security Memory and Ransomware protections
- Maintain backups of your critical systems to aid in quick recovery
- Two-factor authentication must be implemented where possible.
- Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps security teams can take to minimize its exposure to cybersecurity threats.
- organizations need to diminish the attack surface of hosts exposed to the internet, such as servers or network devices.
- Attack surface reduction
- Network segmentation
The refinement of the Cuba ransomware variant can only mean that the group will continue to be a threat to organizations in the following months, mainly those located in North America.