The menace actors behind Cuba (aka COLDDRAW) ransomware have obtained greater than $60 million in ransom funds and compromised over 100 entities internationally as of August 2022.
In a brand new advisory shared by the U.S. Cybersecurity and Infrastructure Safety Company (CISA) and the Federal Bureau of Investigation (FBI), the businesses highlighted a “sharp improve in each the variety of compromised U.S. entities and the ransom quantities.”
The ransomware crew, often known as Tropical Scorpius, has been noticed focusing on monetary providers, authorities services, healthcare, crucial manufacturing, and IT sectors, whereas concurrently increasing its techniques to achieve preliminary entry and work together with breached networks.
The entry level for the assaults entails the exploitation of identified safety flaws, phishing, compromised credentials, and legit distant desktop protocol (RDP) instruments, adopted by distributing the ransomware by way of Hancitor (aka Chanitor).
A few of the flaws integrated by Cuba into its toolset are as follows –
- CVE-2022-24521 (CVSS rating: 7.8) – An elevation of privilege vulnerability in Home windows Frequent Log File System (CLFS) Driver
- CVE-2020-1472 (CVSS rating: 10.0) – An elevation of privilege vulnerability in Netlogon distant protocol (aka ZeroLogon)
“Along with deploying ransomware, the actors have used ‘double extortion’ methods, wherein they exfiltrate sufferer information, and (1) demand a ransom fee to decrypt it and, (2) threaten to publicly launch it if a ransom fee shouldn’t be made,” CISA famous.
Cuba can be stated to share hyperlinks with the operators of RomCom RAT and one other ransomware household known as Industrial Spy, in keeping with latest findings from BlackBerry and Palo Alto Networks Unit 42.
The RomCom RAT is distributed via trojanized variations of reliable software program reminiscent of SolarWinds Community Efficiency Monitor, KeePass, PDF Reader Professional, and Superior IP Scanner, pdfFiller, and Veeam Backup & Replication which are hosted on counterfeit lookalike web sites.
The advisory from CISA and FBI is the most recent in a sequence of alerts about totally different ransomware strains in latest months reminiscent of MedusaLocker, Zeppelin, Vice Society, Daixin Crew, and Hive.