Cuba Ransomware Is Back - With New Infection TechniquesNew Variant Optimizes Execution, Minimizes Unintended System Behavior
The Cuba ransomware group, which has previously targeted critical infrastructure organizations in the U.S., has updated its malware to "optimize" execution and "minimize" unintended system behavior, says security firm Trend Micro.
The threat group, which was inactive between November 2021 and April 2022, resurfaced with an updated malware in April 2022, say researchers at Trend Micro and Elastic Security Labs.
"Our monitoring showed that the malware authors seem to be pushing some updates to the current binary of a new variant. The samples we examined in March and April used BUGHATCH, a custom downloader that the malicious actor did not employ in previous variants specifically for the staging phase of the infection routine," Trend Micro's researchers say.
The New Variant
The Cuba ransomware group has previously deployed Hancitor malware, a loader known for dropping or executing stealers, such as remote access Trojans and other types of ransomware, according to a December 2021 FBI alert.
In April, the threat actor deployed the new variant against two Asian organizations, the Trend Micro researchers say. While the two variants don't appear to be too different in terms of functionality, the researchers say they "have reason to believe that the updates aim to optimize its execution, minimize unintended system behavior, and provide technical support to the ransomware victims if they choose to negotiate."
Trend Micro says attacks from the group are to be expected in the next few months, likely with more updates to its malware.
Additional Termination of Processes
A key change in the updated variant is that it allows the termination of processes related to the data base - MySQL - and Microsoft Exchange Servers. Trend Micro did not immediately respond to Information Security Media Group's request for information about the impact of this change.
Additions in Safelist
Another key addition in the new malware variant is the expansion of safelisted directories and file extensions. The Cuba ransomware has listed 16 directories and seven extensions on its safelist, which prevents the ransomware or malware from encrypting these particular elements. Trend Micro did not immediately respond to ISMG's request for information about the purpose of this feature.
New Ransom Note and Support
The third new feature is the change in ransom note. Cuba ransomware attack victims, Trend Micro says, can use a service called quTox to get technical support and negotiate ransom payments.
To help detect the malware family used by Cuba, Elastic Security Labs has listed the YARA signatures and queries the ransomware group uses.
Unlike Trend Micro's researchers, the Elastic Security Labs researchers believe that the Cuba ransomware group has continued to follow repetitive - albeit effective - tactics, techniques and procedures for "initial access, lateral movement, exfiltration, ransomware deployment and extortion." The Elastic researchers add that the threat group is likely to "target North American and European retailers and manufacturers for cryptocurrency payments."
The Elastic Security Labs researchers say the threat group also uses other custom downloaders and payloads - such as BUGHATCH, Meterpreter, Mimikatz and Cobalt Strike - for data harvesting. These payloads, they say, may also be used for data exfiltration as they all have "data movement capabilities."
The group also uses a "diamond model" of intrusion.
The Industrial Spy Link
A separate report by Bleeping Computer suggests there may be a link between the Cuba ransomware group and the Industrial Spy marketplace used for the illicit sale of business data, intellectual property and trade secrets of top organizations. MalwareHunterTeam recently noticed that a new sample of the Industrial Spy malware appears more like a ransom note and less like an advertisement of its leak site.
Not really understand this "Industrial Spy" gang.— MalwareHunterTeam (@malwrhunterteam) April 14, 2022
They pwn networks, steals files, then instead of clearly asking a ransom, they leave something more like an ad for their leak/market site?
Bleeping Computer's investigation found that the TOX ID and email address in Industrial Spy's ransom note was the same as the one used by Cuba Ransomware on VirusTotal.
"While this does not 100% tie the two groups together, it's very possible that the Industrial Spy threat actors simply used Cuba's information while testing the creation of their ransomware," the report says.