CISA and FBI says ransomware attacks on the rise
A joint Cybersecurity Advisory (CSA) #StopRansomware: Cuba Ransomware from CISA and FBI warns that a ransomware gang has attacked more than 100 organizations across the world and received more than $60 million in ransom payments. The latest CSA alerts that there's a surge in ransom demands and organizations Cybersecurity Advisory attacked by the Cuba ransomware group.
As per the warning, Cuba ransomware attacks target healthcare, critical infrastructure, financial services, government services, technology, etc. The CSA says that despite the name, the gang doesn't have any association with the country of Cuba. The FBI alerts that the ransomware group has attacked over 100 targets across the world and have asked more than $145 Million in ransom payments, getting $60 million in extortion payments.
Key updates from the FBI and CISA include:
- FBI has identified a sharp increase in the both the number of compromised U.S. entities and the ransom amounts demanded by Cuba ransomware actors.
- Since spring 2022, Cuba ransomware actors have expanded their TTPs.
- Third-party and open-source reports have identified a possible link between Cuba ransomware actors, RomCom Remote Access Trojan (RAT) actors, and Industrial Spy ransomware actors.
The group indulges in double extortion attacks, not only encrypting data and demanding ransom payments, but also making threats to leak data stolen from the target, if he fails to pay the ransom (demanded in Bitcoins).
New Ransomware Techniques used by Threat Actors
This is the second CSA warning from CISA and FBI about Cuba ransomware, the first one came in December 2021. The new warning comes due to a sudden increase in the number of cyberattacks and also because threat actors have increased to make the attacks more sophisticated so that it can't be detected and difficult to stop.
These techniques include abusing a vulnerability in Windows Common Log File System (CLFS) driver (CVE-2022-24521) to retrieve system tokens and enable privileges while deploying a PowerShell script to find out service accounts for getting better access to high-level system controls.
Cuba Ransomware behind attacks
Cuba ransomware attacks were also found attacking Zerologon, a flaw in Microsoft Windows authentication protocol Netlogon (CVE-2020-1472) to get domain administrative rights. Zerologon was found in September 2020 and was termed as "unacceptable risk" during that time, however, after two years, threat actors are still able to abuse it.
The techniques that Cuba ransomware uses to get digital access to the victim's system include exploiting known flaws in commercial software, phishing campaigns, exploiting stolen user data and passwords, and abusing genuine Remote Desktop Protocol (RDP) applications.
Once the threat actor gains access, he installs Hancitor, a malware payload that lets him easily get back access and launch operations on exploited networks, which in the end is used to drop and launch the ransomware payload.
"FBI and CISA encourage network defenders to review the joint CSA and to apply the included mitigations. See StopRansomware.gov for additional guidance on ransomware protection, detection, and response," says the CSA.