The risk actors behind Cuba (aka COLDDRAW) ransomware have obtained greater than $60 million in ransom funds and compromised over 100 entities the world over as of August 2022.
In a brand new advisory shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), the companies highlighted a “sharp enhance in each the variety of compromised U.S. entities and the ransom quantities.”
The ransomware crew, often known as Tropical Scorpius, has been noticed concentrating on monetary providers, authorities services, healthcare, important manufacturing, and IT sectors, whereas concurrently increasing its ways to achieve preliminary entry and work together with breached networks.
The entry level for the assaults entails the exploitation of recognized safety flaws, phishing, compromised credentials, and legit distant desktop protocol (RDP) instruments, adopted by distributing the ransomware through Hancitor (aka Chanitor).
Some of the issues included by Cuba into its toolset are as follows –
- CVE-2022-24521 (CVSS rating: 7.8) – An elevation of privilege vulnerability in Windows Common Log File System (CLFS) Driver
- CVE-2020-1472 (CVSS rating: 10.0) – An elevation of privilege vulnerability in Netlogon distant protocol (aka ZeroLogon)
“In addition to deploying ransomware, the actors have used ‘double extortion’ strategies, by which they exfiltrate sufferer knowledge, and (1) demand a ransom cost to decrypt it and, (2) threaten to publicly launch it if a ransom cost will not be made,” CISA famous.
Cuba can also be mentioned to share hyperlinks with the operators of RomCom RAT and one other ransomware household known as Industrial Spy, in line with current findings from BlackBerry and Palo Alto Networks Unit 42.
The RomCom RAT is distributed by way of trojanized variations of professional software program resembling SolarWinds Network Performance Monitor, KeePass, PDF Reader Pro, and Advanced IP Scanner, pdfFiller, and Veeam Backup & Replication which might be hosted on counterfeit lookalike web sites.
The advisory from CISA and FBI is the newest in a collection of alerts about totally different ransomware strains in current months resembling MedusaLocker, Zeppelin, Vice Society, Daixin Team, and Hive.