Introduction
Cuba ransomware is a ransomware family that has been regularly observed since its first discovery in 2020. The ransomware family has been associated with numerous groups including UNC2596 (tracked by Mandiant) and Tropical Scorpius (tracked by unit42). Given this ransomware variant is not consistently employed by the same threat actor, early kill chain TTPs associated with intrusions culminating in the deployment of Cuba ransomware vary. Actors have been observed gaining initial access to network through exploit of Microsoft Exchange vulnerabilities, including ProxyShell and ProxyLogon. Following initial access actors have been observed using various external tools (including numerous drivers) to disable endpoint protection and to enumerate hosts prior to deployment of Cuba ransomware. One of the more recent notable victims of a Cuba ransomware infection was the Government of Montenegro which was targeted in early September resulting in a significant impact to their government networks .
In this article we will focus on the execution of one of the recent Cuba ransomware samples and we will also look in detail at what security events are generated if this ransomware is executed in a FortiEDR protected environment. This article will not cover detection and mitigation for pre-ransomware TTPs.
Initial Execution
Cuba ransomware was first observed in first quarter of 2020 and resurfaced around November 2021. The Cuba ransomware sample analyzed in this article was first seen in May this year. It is a 32-bit Windows executable. On execution, the ransomware begins encrypting files immediately and renames the encrypted file with a new extension, "cuba". As part of the encryption process the Cuba ransomware drops a copy of a ransom note to every accessible folder.
File Encryption
The ransomware avoids encrypting files ending with extension names such as exe, dll, sys, ini, lnk, vbm, and cuba. It also avoids encrypting files found in the following folders:
| \windows\ | \system volume information\ |
| \program files\microsoft office\ | \msocache\ |
| \program files (x86)\microsoft office\ | \users\all users\ |
| \program files\avs\ | \users\default user\ |
| \program files (x86)\avs\ | \users\default\ |
| \$recycle.bin\ | \temp\ |
| \boot\ | \inetcache\ |
| \recovery\ | \google\ |
Table 1. List of whitelisted folders avoided by Cuba ransomware file encryption.
These exclusions are built into ransomware to ensure that encryption operations will not permanently affect the endpoint once the user has applied the decryption key. FortiEDR blocks the execution of the Cuba ransomware when it sees the file rename events generated from the endpoints (See Figure 1). Several FortiEDR rules are triggered during this event. The main rule is called Ransomware Prevention and several sub-categories are triggered as follows:
- Suspicious Packer - Activity by an Application packed by a Suspicious Packer was detected. A packer is a software component mainly used to reduce executable file sizes. Packers are commonly used by malware, software installers and software protection applications. Malware, however, often tries to disguise itself as a common packer to avoid detection by anti-virus software.
- Writeable Code - Identified an Executable with Writable Code Each executable file has pre-defined executable sections. Normally, these sections are read-only and cannot be modified unless protection attributes are explicitly modified in runtime. Such an action is normally an indication of tampering with executable code in runtime. This kind of action is common in malware and exploits that try to modify code of in-memory executables.
- File Encryptor - Suspicious file modification A process tried to encrypt files or to make suspicious modifications to files.
Figure 1. FortiEDR blocks the encryption events by Cuba ransomware
Cuba ransomware encrypts majority of files on a victim endpoint across a broad range of folders. The encrypted files are renamed with an extension name “cuba”. Figure 2 below shows the list of files renamed by Cuba ransomware in FortiEDR’s threat hunting page.
Figure 2. FortiEDR’s threat hunting page shows the files renamed by Cuba ransomware
Ransom Note
FortiEDR blocks the creation of the ransom note, “!! READ ME !!.txt” (see Figure 3) as the cuba ransomware sample is flagged as a malicious file based on its file hash.
Figure 3. FortiEDR prevents the creation of the ransom note file.
Cuba ransomware uses several versions of the ransom note, the sample analyzed as part of the article drops the ransom note shown below in Figure 4.
Figure 4. Ransom note use by recent sample
Leak Site
Like many ransomware gangs, Cuba ransomware gang maintain a leak webpage where they host content stolen from victim organisations that did not pay their ransoms. If you follow the Cuba leak site you will see a welcome page for Cuba ransomware stating that it contains information about the companies that did not want to cooperate with them.
Based on the contents of the ransom note, the ransomware gang threatens the compromised users or companies that their data will be posted on the leak site if they don’t initiate any contact within 3 days. The leak site has links to some entities that further leads to a web page that contains several data files. It is hard to tell if the files are actually data from the compromised computers. See figure 5 below.
Figure 5. Cuba ransomware’s leak site (upper page)
Just below the welcome page, you will see a list of companies that has leaked information per the threat actors claims. There is a free version (Figure 6) and the paid content (Figure 7).
Figure 6. Cuba ransomware’s leak site (possible compromised entities – free version)
Figure 7. Cuba ransomware’s leak site (possible compromised entities – paid version)
Conclusion
Cuba ransomware is a typical ransomware that encrypts files and renames the encrypted file with a new extension name, "cuba". As demonstrated above FortiEDR is able to detect and block execution of Cuba ransomware executables and detect and prevent the encryption of files by this ransomware. FortiEDR is also able to monitor the creation of the ransom note in folders with encrypted files. Additional detection methods are available below through the use of FortiEDR Threat Hunting telemetry.
Threat Hunting
This query will return all file rename events for target files with extension name "cuba". Encrypted files are renamed with the extension name "cuba" following encryption. There are no expected false positives associated with this activity as this is a non-standard file extension:
|
This query will return all file create events for the "\\ READ ME \\.txt". A ransom note, \\ READ ME \\.txt", was dropped in all accessible folder in Cuba ransomware activity observed by the FortiGuard MDR team. There are no expected false positives associated with this activity:
|
MITRE ATT&CK
TA0040 - Impact
|
Technique ID |
Technique Description |
Observed Activity |
|
T1486 |
Data Encrypted for Impact |
Similar to common ransomware, Cuba ransomware encrypts files in every accessible folder, while it avoids encrypting files from the list of folders found in Table 1. |
TA0005 - Defense Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
T1027.002 |
Obfuscated Files or Information: Software Packing |
Cuba ransomware uses custom packers to hide its payload. |
IOCs
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
Cuba ransomware sample |
064E77464964A9A96CE79B56FE4D8B9E740D4E1F |
SHA1 Hash |
Installation |
Cuba ransomware sample discussed in the article. It is also found in VT and FortiGuard Threat Intelligence database. |
2022-05-17 |
|
Cuba ransomware sample |
DCE10F420E527BBB7EDA14F15FA261B647FB0D56 |
SHA1 Hash |
Installation |
Cuba ransomware sample found in the FortiGuard Threat Intelligence database. |
2022-08-16 |
|
Cuba ransomware sample |
EACED2FCFDCBF3DCA4DD77333AAAB055345F3AB4 |
SHA1 Hash |
Installation |
Cuba ransomware sample found in VT |
2022-03-10 |
