The FBI is warning industry that one ransomware group has been behind the compromise of at least 49 critical infrastructure entities, spanning the government, financial, healthcare, manufacturing and information technology sectors.
The details were included in a flash alert to industry released by the FBI Thursday warning that the group has made more than $74 million in extortion demands and collected more than $43.9 million in ransom payments from victims through November 2021.
The document does not provide any additional information or details about the affected sectors, compromised companies or when the intrusions took place. The Bureau does provide technical indicators from an October 2021 intrusion and asked potential victims to contact them and pass along information that could help with investigation and incident response activities.
“The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file. The FBI does not encourage paying ransoms,” the alert states.
Threat intelligence firms say the Cuba ransomware group has been active since at early or mid-2020, and operators don’t appear to be leveraging any groundbreaking tactics or tools.
The FBI says that after initial compromise, the group uses the Hancitor downloader to deploy its ransomware. Like many hacking groups, it also relies on common tools like Cobalt Strike, PowerShell and Mimikatz to conduct post-exploitation activities, steal credentials and move laterally between systems.
Security research firm Group-IB said earlier this year that a sample of the malware they examined “wasn’t very sophisticated,” which researchers at Blackberry wrote in April that the group’s ransomware was compiled using C++ programming language and didn’t contain any code obfuscation techniques that many other ransomware groups use.
There is not much information regarding how Cuba operators gain initial access to victim systems. An alert by the UK’s National Health Service in May indicates that the group uses email spamming and phishing techniques and entice users to click on a link designed to mimic “a popular document signing service” that downloads a Macro-based malware, an increasingly popular tactic among cybercriminal groups.
The mitigation advice given by the FBI is equally basic in many cases. They advise organizations to use strong passwords, implement multi-factor authentication on systems and devices, patch regularly, limit administrative privileges and use a host-based firewall. It operates a leak site for victims but is also not averse to selling the data to buyers outright.
The flash alert also has a separate section with advice for how organizations can reduce the amount of visibility that outside actors have around their internal IT environments. This includes implementing network segmentation, using network monitoring tools, disabling unused or rarely-used admin accounts after a certain time, disabling command line and scripting activities and maintaining offline and encrypted backup data.