FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
ralvarez
Staff
Staff
Article Id 229853

Introduction

 

Cuba ransomware is a ransomware family that has been regularly observed since its first discovery in 2020. The ransomware family has been associated with numerous groups including UNC2596 (tracked by Mandiant) and Tropical Scorpius (tracked by unit42). Given this ransomware variant is not consistently employed by the same threat actor, early kill chain TTPs associated with intrusions culminating in the deployment of Cuba ransomware vary. Actors have been observed gaining initial access to network through exploit of Microsoft Exchange vulnerabilities, including ProxyShell and ProxyLogon. Following initial access actors have been observed using various external tools (including numerous drivers) to disable endpoint protection and to enumerate hosts prior to deployment of Cuba ransomware. One of the more recent notable victims of a Cuba ransomware infection was the Government of Montenegro which was targeted in early September resulting in a significant impact to their government networks .

 

In this article we will focus on the execution of one of the recent Cuba ransomware samples and we will also look in detail at what security events are generated if this ransomware is executed in a FortiEDR protected environment. This article will not cover detection and mitigation for pre-ransomware TTPs.

 

Initial Execution

 

Cuba ransomware was first observed in first quarter of 2020 and resurfaced around November 2021. The Cuba ransomware sample analyzed in this article was first seen in May this year. It is a 32-bit Windows executable. On execution, the ransomware begins encrypting files immediately and renames the encrypted file with a new extension, "cuba". As part of the encryption process the Cuba ransomware drops a copy of a ransom note to every accessible folder.

 

File Encryption

 

The ransomware avoids encrypting files ending with extension names such as exe, dll, sys, ini, lnk, vbm, and cuba. It also avoids encrypting files found in the following folders:

\windows\ \system volume information\
\program files\microsoft office\ \msocache\
\program files (x86)\microsoft office\ \users\all users\
\program files\avs\ \users\default user\
\program files (x86)\avs\ \users\default\
\$recycle.bin\ \temp\
\boot\ \inetcache\
\recovery\ \google\

Table 1. List of whitelisted folders avoided by Cuba ransomware file encryption.

 

These exclusions are built into ransomware to ensure that encryption operations will not permanently affect the endpoint once the user has applied the decryption key. FortiEDR blocks the execution of the Cuba ransomware when it sees the file rename events generated from the endpoints (See Figure 1). Several FortiEDR rules are triggered during this event. The main rule is called Ransomware Prevention and several sub-categories are triggered as follows:

  1. Suspicious Packer - Activity by an Application packed by a Suspicious Packer was detected. A packer is a software component mainly used to reduce executable file sizes. Packers are commonly used by malware, software installers and software protection applications. Malware, however, often tries to disguise itself as a common packer to avoid detection by anti-virus software.
  2. Writeable Code - Identified an Executable with Writable Code Each executable file has pre-defined executable sections. Normally, these sections are read-only and cannot be modified unless protection attributes are explicitly modified in runtime. Such an action is normally an indication of tampering with executable code in runtime. This kind of action is common in malware and exploits that try to modify code of in-memory executables.
  3. File Encryptor - Suspicious file modification A process tried to encrypt files or to make suspicious modifications to files.

cubaransomware01.png

Figure 1. FortiEDR blocks the encryption events by Cuba ransomware

 

Cuba ransomware encrypts majority of files on a victim endpoint across a broad range of folders. The encrypted files are renamed with an extension name “cuba”. Figure 2 below shows the list of files renamed by Cuba ransomware in FortiEDR’s threat hunting page.

cubaransomware02.png

Figure 2. FortiEDR’s threat hunting page shows the files renamed by Cuba ransomware

 

Ransom Note

 

FortiEDR blocks the creation of the ransom note, “!! READ ME !!.txt” (see Figure 3) as the cuba ransomware sample is flagged as a malicious file based on its file hash.

cubaransomware03.png

Figure 3. FortiEDR prevents the creation of the ransom note file.

 

Cuba ransomware uses several versions of the ransom note, the sample analyzed as part of the article drops the ransom note shown below in Figure 4.

cubaransomware04.png

 Figure 4. Ransom note use by recent sample

 

Leak Site

 

Like many ransomware gangs, Cuba ransomware gang maintain a leak webpage where they host content stolen from victim organisations that did not pay their ransoms. If you follow the Cuba leak site you will see a welcome page for Cuba ransomware stating that it contains information about the companies that did not want to cooperate with them.

 

Based on the contents of the ransom note, the ransomware gang threatens the compromised users or companies that their data will be posted on the leak site if they don’t initiate any contact within 3 days. The leak site has links to some entities that further leads to a web page that contains several data files. It is hard to tell if the files are actually data from the compromised computers. See figure 5 below.

cubaransomware05.png

Figure 5. Cuba ransomware’s leak site (upper page)

 

Just below the welcome page, you will see a list of companies that has leaked information per the threat actors claims. There is a free version (Figure 6) and the paid content (Figure 7).

cubaransomware06.png

Figure 6. Cuba ransomware’s leak site (possible compromised entities – free version)

 

cubaransomware07.png

 Figure 7. Cuba ransomware’s leak site (possible compromised entities – paid version)

 

Conclusion

 

Cuba ransomware is a typical ransomware that encrypts files and renames the encrypted file with a new extension name, "cuba". As demonstrated above FortiEDR is able to detect and block execution of Cuba ransomware executables and detect and prevent the encryption of files by this ransomware. FortiEDR is also able to monitor the creation of the ransom note in folders with encrypted files. Additional detection methods are available below through the use of FortiEDR Threat Hunting telemetry.

 

Threat Hunting

 

This query will return all file rename events for target files with extension name "cuba". Encrypted files are renamed with the extension name "cuba" following encryption. There are no expected false positives associated with this activity as this is a non-standard file extension:

Type:("File Rename") AND Target.File.AdditionalData.TargetPath:("*.cuba")

 

This query will return all file create events for the "\\ READ ME \\.txt". A ransom note, \\ READ ME \\.txt", was dropped in all accessible folder in Cuba ransomware activity observed by the FortiGuard MDR team. There are no expected false positives associated with this activity:

Type:("File Create") AND Target.File.Name:("\!\! READ ME \!\!.txt") 

 

MITRE ATT&CK

 

TA0040 - Impact

 

Technique ID

Technique Description

Observed Activity

T1486

Data Encrypted for Impact

Similar to common ransomware, Cuba ransomware encrypts files in every accessible folder, while it avoids encrypting files from the list of folders found in Table 1.

 

TA0005 - Defense Evasion

 

Technique ID

Technique Description

Observed Activity

T1027.002

Obfuscated Files or Information: Software Packing

Cuba ransomware uses custom packers to hide its payload.

 

 

IOCs

 

Indicator Description

Indicator

Indicator Type

Associated Tactic

Notes

First Observed

Cuba ransomware sample

064E77464964A9A96CE79B56FE4D8B9E740D4E1F

SHA1 Hash

Installation

Cuba ransomware sample discussed in the article. It is also found in VT and FortiGuard Threat Intelligence database.

2022-05-17

Cuba ransomware sample

DCE10F420E527BBB7EDA14F15FA261B647FB0D56

SHA1 Hash

Installation

Cuba ransomware sample found in the FortiGuard Threat Intelligence database.

2022-08-16

Cuba ransomware sample

EACED2FCFDCBF3DCA4DD77333AAAB055345F3AB4

SHA1 Hash

Installation

Cuba ransomware sample found in VT

2022-03-10

Contributors