Skip to main content
Creating a new NHS England: Health Education England, NHS Digital and NHS England have merged. More about the merger.

Cuba Ransomware

Cuba is a C++ based ransomware tool targeting Windows systems. It is used in double extortion attacks against a wide range of industries in Europe and America, with the extracted information posted to a hidden leak site.

Threat ID:
CC-3855
Category:
Ransomware
Threat Severity:
Low
Threat Vector:
Email spam, Phishing
Published:
11 May 2021 3:35 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Cuba is a C++ based ransomware tool targeting Windows systems. It is used in double extortion attacks against a wide range of industries in Europe and America, with the extracted information posted to a hidden leak site.

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

First observed in January 2020, Cuba ransomware is written in C++ and is used as the final-stage payload in double extortion campaigns. Operators use Cuba in conjunction with a leak site which publishes data extracted from compromised systems prior to encryption. Cuba has affected organisations in North and South America, and Europe across various sectors, including pharmaceutical, manufacturing, and logistics. Recently, it has been delivered by the Hancitor downloader in spam email campaigns.

Delivery

In its most recent attacks, Cuba has been deployed through spam campaigns. Emails sent in these campaigns contain a link purporting to sign a document from a popular document signing service. When users interact with this link, a macro-laden Word document containing a Hancitor payload is instead downloaded and opened. This document will extract and execute Hancitor if the user enables the macros.

Hancitor will then download several additional tools via a command and control (C2) server to facilitate lateral movement and data extraction. Cuba payloads are then delivered and installed on compromised systems using PowerShell or PsExec.

In earlier campaigns, it was unclear how Cuba was delivered, although there are unconfirmed reports suggesting it may have been distributed in spear-phishing attacks.

Activities

Once executed, Cuba uses a hardcoded list to identify and terminate various SQL and Microsoft Exchange services and processes. It then enumerates all directories and files on the host system, comparing each to a hardcoded whitelist of files to be exempt from encryption. Should a file not match those on the whitelist, Cuba begins its encryption routine. It uses a hybrid ChaCha20 and RSA encryption method; ChaCha20 with 12-bytes length IV is used to encrypt data, whilst the keys are encrypted with RSA-4096. It appends the file extension .cuba to each encrypted file and drops a ransom note in each directory where files have been encrypted.

Cuba campaigns commonly use double extortion; a technique which facilitates the theft of data before encrypting it. Cuba operators use a Tor data leak site where a compromised organisation’s data is publicly exposed if the ransom is not paid.

Remediation advice

If a device on your network becomes infected with ransomware it will begin encrypting files, which may also include remote files on network locations. The only guaranteed way to recover from a ransomware infection is to restore all affected files from their most recent backup. To limit the impact of a ransomware infection, NHS Digital advises that:

  • Critical data is frequently saved in multiple backup locations.
  • At least one backup is kept offline at any time (separated from live systems).
  • Backups and incident recovery plans are tested to ensure that data can be restored when needed.
  • User account permissions for modifying data are regularly reviewed and restricted to the minimum necessary.
  • Infected systems are disconnected from the network and powered down as soon as practicable.
  • Any user account credentials that may have been compromised should be reset on a clean device
  • Where infected systems cannot be quarantined with confidence, then an affected organisation should disconnect from national networks to limit propagation.

Additionally, to prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

Domain

  • kurvalarva[.]com

Email addresses

  • admin@cuba-supp[.]com
  • cuba_support@exploit[.]im
  • fedelsupportagent@cock[.]li
  • helpadmin2@cock[.]li
  • helpadmin2@protonmail[.]com
  • iracomp2@protonmail[.]ch
  • under_amur@protonmail[.]ch
Host indicators

Filenames

  • 151.bat
  • 151.ps1
  • Kurva.ps1
  • !!FAQ for Decryption!!.txt (Ransom note)

SHA256 hashes

  • 00ddbe28a31cc91bd7b1989a9bebd43c4b5565aa0a9ed4e0ca2a5cfb290475ed
  • 1f825ef9ff3e0bb80b7076ef19b837e927efea9db123d3b2b8ec15c8510da647
  • 271ef3c1d022829f0b15f2471d05a28d4786abafd0a9e1e742bde3f6b36872ad
  • 28140885cf794ffef27f5673ca64bd680fc0b8a469453d0310aea439f7e04e64
  • 33352a38454cfc247bc7465bf177f5f97d7fd0bd220103d4422c8ec45b4d3d0e
  • 40101fb3629cdb7d53c3af19dea2b6245a8d8aa9f28febd052bb9d792cfbefa6
  • 54627975c0befee0075d6da1a53af9403f047d9e367389e48ae0d25c2a7154bc
  • 6396ea2ef48aa3d3a61fb2e1ca50ac3711c376ec2b67dbaf64eeba49f5dfa9df
  • 672fb249e520f4496e72021f887f8bb86fec5604317d8af3f0800d49aa157be1
  • 729950ce621a4bc6579957eabb3d1668498c805738ee5e83b74d5edaf2f4cb9e
  • 78ce13d09d828fc8b06cf55f8247bac07379d0c8b8c8b1a6996c29163fa4b659
  • 7a17f344d916f7f0272b9480336fb05d33147b8be2e71c3261ea30a32d73fecb
  • 907f42a79192a016154f11927fbb1e6f661f679d68947bddc714f5acc4aa66eb
  • 944ee8789cc929d2efda5790669e5266fe80910cabf1050cbb3e57dc62de2040
  • 9882c2f5a95d7680626470f6c0d3609c7590eb552065f81ab41ffe074ea74e82
  • bda4bddcbd140e4012bab453e28a4fba86f16ac8983d7db391043eab627e9fa1
  • c206593d626e1f8b9c5d15b9b5ec16a298890e8bae61a232c2104cbac8d51bdd
  • c385ef710cbdd8ba7759e084051f5742b6fa8a6b65340a9795f48d0a425fec61
  • c4b1f4e1ac9a28cc9e50195b29dde8bd54527abc7f4d16899f9f8315c852afd4
  • e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30

Exempted file types

  • .exe
  • .dll
  • .sys
  • .ini
  • .cuba

Exempted folders

  • C:\Windows\
  • C:\Program Files\Microsoft Office\
  • C:\Program Files (x86)\Microsoft Office\
  • C:\$Recycle.Bin\
  • C:\Boot\
  • C:\Recovery\
  • C:\System Volume Information\
  • C:\MSOCache\
  • C:\Users\Default Users\
  • C:\Users\Default\
  • C:\INetCache\
  • C:\Google\
  • C:\Temp

Terminated services

  • MSExchangeUMCR
  • MSExchangePOP3BE
  • MSExchangeUM
  • MSExchangePop3
  • MSExchangeTransportLogSearch
  • MSExchangeNotificationsBroker
  • MSExchangeTransport
  • MSExchangeMailboxReplication
  • MSExchangeThrottling
  • MSExchangeMailboxAssistants
  • MSExchangeSubmission
  • MSExchangeIS
  • MSExchangeServiceHost
  • MSExchangeIMAP4BE
  • MSExchangeRPC
  • MSExchangeImap4
  • MSExchangeRepl
  • MSExchangeHMRecovery
  • MSExchangeDiagnostics
  • MSExchangeHM
  • MSExchangeDelivery
  • MSExchangeFrontEndTransport
  • MSExchangeDagMgmt
  • MSExchangeFastSearch
  • MSExchangeCompliance
  • MSExchangeEdgeSync
  • MSExchangeAntispamUpdate
  • MySQL80
  • SQLSERVERAGENT
  • SQLWriter
  • MSSQLSERVER
  • SQLTELEMETRY
  • SQLBrowser
  • vmcompute
  • vmms

Terminated processes

  • sqlagent.exe
  • sqlbrowser.exe
  • sqlservr.exe
  • outlook.exe
  • sqlwriter.exe
  • vmwp.exe
  • sqlceip.exe
  • vmsp.exe
  • msdtc.exe
Yara rules

Yara rule courtesy of Blackberry Threat Research Team, Blackberry 22 April 2021

import "pe"

rule Mal_W32_Ransom_Cuba

{

    meta:

        description = "Cuba Ransomware"

        author = "Blackberry Threat Research"

        date = "2021-04-12"

    strings:

        //Good day. All your files are encrypted. For decryption contact us. 

        $x0 = {476f6f64206461792e20416c6c20796f75722066696c65732061726520656e637279707465642e20466f722064656372797074696f6e20636f6e746163742075732e}

        //We also inform that your databases, ftp server and file server were downloaded by us to our servers. 

        $x1 = {576520616c736f20696e666f726d207468617420796f7572206461746162617365732c206674702073657276657220616e642066696c6520736572766572207765726520646f

776e6c6f6164656420627920757320746f206f757220736572766572732e}

        //FIDEL.CA 

        $x2 = {464944454c2e4341}

        //!!FAQ for Decryption!!.txt 

        $x3 = {21002100460041005100200066006f0072002000440065006300720079007000740069006f006e00210021002e00740078007400}

        //MySQL80

        $x4 = {4d007900530051004c0038003000}

        //MSSQLSERVER 

        $x5 = {4d005300530051004c00530045005200560045005200}

        //SQLWriter

        $x6 = {530051004c00570072006900740065007200}

        //SQLBrowser

        $x7 = {530051004c00420072006f007700730065007200}

        //sqlservr.exe

        $x8 = {730071006c00730065007200760072002e00650078006500}

    condition:

        uint16(0) == 0x5A4D and

        filesize < 3MB and

        pe.imports("mpr.dll", "WnetEnumResourceW") and

        pe.imports("mpr.dll", "WNetCloseEnum") and

        pe.imports("mpr.dll", "WNetOpenEnumW") and

        pe.imports("netapi32.dll", "NetShareEnum") and

    8 of ($x*)

}

MITRE ATT&CK techniques

Execution

T1059 - Command and Scripting Interpreter

T1059.001 - Command and Scripting Interpreter: PowerShell

T1129 - Shared Modules

T1569.002 - System Services: Service Execution

Privilege escalation

T1134 - Access Token Manipulation

Defence evasion

T1027 - Obfuscated Files or Information

T1222 - File and Directory Permissions Modification

Discovery

T1007 - System Service Discovery

T1057 - Process Discovery

T1082 - System Information Discovery

T1083 - File and Directory Discovery

Collection

T1056.001 - Input Capture: Keylogging

Impact

T1486 - Data Encrypted for Impact

T1489 - Service Stop

Last edited: 11 May 2021 4:27 pm