SafeBreach Hacker’s Playbook Updated for FBI Flash Alert (CU-000156-MW) Cuba Ransomware Attack Campaign
US Cert Alerts
On December 2nd, the Federal Bureau of Investigation (FBI) issued a flash alert to highlight ongoing malicious cyber activity by threat actors using Cuba ransomware to target and compromise at least 49 individual entities in five critical infrastructure sectors, including but not limited to the financial, government, healthcare, manufacturing, and information technology. Details of the various tactics, techniques, and procedures (TTPs) are described in FBI Flash Alert CU-000156-MW. According to the information currently available, these threat actors have demanded at least USD $74 million from their victims and have received at least USD $43.9 million in ransom payments to date.
It appears that the Cuba ransomware is distributed using Hancitor malware, a malware loader often leveraged for dropping or executing stealers, such as Remote Access Trojans (RAT) and other types of ransomware, onto the victims’ networks. Hancitor malware actors often leverage phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim’s network. The Cuba ransomware threat actors have also used legitimate Windows services—such as PowerShell, PsExec, and other unspecified services to leverage Windows Admin privileges and remotely execute their ransomware code. It was also noted that the encrypted files all have the ”.cuba” extension. Additional technical details and breakdown of the attack can be found in FBI Flash Alert CU-000156-MW.
NOTE - The SafeBreach Hacker’s Playbook has been updated to include the newly discovered tactics and techniques from this FBI Flash alert. We encourage you to test your preparedness against this ransomware variant by running the new and existing attacks listed below.
We would also like to highlight that current SafeBreach customers already had a certain level of protection against these attacks as the Hacker’s Playbook already included many (22) of the tactics, techniques, and procedures (TTPs) preferred by these threat actors (including the ones being reused for the current attacks). These attacks are listed below:
The newly updated and existing attack methods for FBI Flash Alert CU-000156-MW are already in the SafeBreach Hacker’s playbook and ready to run across your simulators. The Known Attack Series report is updated so you can run the specific attacks from this Flash alert. From the Known Attack Series report, select the Malware – Cuba Ransomware report and select Run Simulations which will run all attack methods.
You can also select all the attacks related to FBI Flash Alert CU-000156-MW, by going to the SafeBreach Playbook and filtering by Threat Name – “Malware – Cuba Ransomware“
or you can go to the “SafeBreach Scenarios” page, check out the “Recommended Scenarios” and choose the Malware – Cuba Ransomware scenario from the list of available scenarios.
Require all accounts with password logins (e.g., service account, admin accounts, and
domain admin accounts) to have strong, unique passwords.
Require multi-factor authentication.
Keep all operating systems and software up to date.
Remove unnecessary access to administrative shares, especially ADMIN$ and C$.
Use a host-based firewall.