View All R&D Articles

Cuba Group’s Ransomware Targets Windows Computers

September 11, 2023

The Cuba ransomware Group, also known as Fidel, has modified their malware variant to exploit a vulnerability in Microsoft’s Windows Hardware Developer Program. 

Contrary to its name, the Cuba group is believed to be based in Russia. For the past several years, Cuba has targeted critical U.S. infrastructure, but the group seems to be primarily motivated by profit — in other words, there aren’t explicit signs that they’re pursuing specific geopolitical goals.

Cuba’s most successful “product” is a ransomware variant called burntcigar, which initially utilized malicious drivers as an attack vector. The malware used a driver called “Netfilter” to plant a rootkit, allowing for infiltration (and encryption of key files). 

After Microsoft patched the vulnerability and released a security advisory, Cuba turned its attention to the SolarWinds Orion platform, exploiting another vulnerability to deploy ransomware.

But now, the attackers appear to be returning to Microsoft systems. 

The new version of burntcigar avoids detection with sophisticated methods.

On September 11, 2023 security teams at Kaspersky identified new iterations of burntcigar, which utilize encryption to avoid detection. The malware is deployed through an administrator-level login in the target’s network, deployed via Remote Desktop Protocol (RDP).

Cuba may obtain administrator credentials through initial access brokers — cybercriminal groups that collect and sell credentials to ransomware groups. 

Once the attackers have access, they deploy BUGHATCH, a custom downloader capable of executing files.

Per a Kaspersky press release:

“BUGHATCH is a sophisticated backdoor that deploys in process memory. It executes an embedded block of shellcode within the memory space allocated to it using the Windows API. Subsequently, it connects to a Command and Control (C2) server, awaiting further instructions. It can receive commands to download software like Cobalt Strike Beacon and Metasploit. The use of Veeamp in the attack strongly suggests Cuba’s involvement.”

The burntcigar ransomware gets its name from its operators — Cuba’s malware frequently contains references to the Cuban Revolution, though translation errors indicate that the group communicates in Russian.

Related: 4 Common Ransomware Attack Vectors

Who’s behind the Cuba ransomware group?

According to the U.S. Cybersecurity & Infrastructure Security Agency (CISA), Cuba is composed of at least 101 “entities.” That includes 65 entities based in the United States. 

To date, Cuba has demanded $145 million (USD) in ransom patients, receiving approximately $60 million. Prior to September 2023, the group used another ransomware loader, Hancitor, but the introduction of BUGHATCH shows that the cybercriminals are capable of finding novel exploits for known security vulnerabilities.

CISA’s advisory on Cuba ransomware contains a list of files and hashes associated with the group.

Related: The True Consequences of Ransomware Infection

To mitigate ransomware threats, take a proactive approach.

Cuba tends to target enterprise-level systems, and robust security controls can prevent infection. 

  • Systems should be updated regularly and automatically to eliminate vulnerabilities.
  • Enterprises should enforce appropriate password protocols.
  • Administrator privileges must be restricted wherever possible. 
  • Enterprises must create a recovery plan that retains multiple copies of critical data. Backups should be kept completely separate from the main system (and not connected to the primary network), as ransomware groups frequently target backups and remain dormant until deployment.

Develop a strategy for ransomware mitigation.

If you’ve encountered signs of ransomware infection — or you’re developing a disaster recovery strategy to prevent bad actors from taking your business offline — can help. 

We provide ransomware remediation, prevention, and recovery services, which pair system testing and theft monitoring to limit vulnerabilities. To learn more, call 1-800-237-4200 or fill out our brief contact form to connect with our team.