The US Federal Bureau of Investigation (FBI) says 49 organisations, including some in government, were hit by Cuba ransomware as of early November this year.
The attacks were spread across five “critical infrastructure”, which, besides government, included the financial, healthcare, manufacturing, and – as you’d expect – IT sectors. The Feds said late last week the threat actors are demanding $76m in ransoms and have already received at least $43.9m in payments.
The ransomware gang’s loader of choice, Hancitor, was the culprit, distributed via phishing emails, or via exploit of Microsoft Exchange vulnerabilities, compromised credentials, or Remote Desktop Protocol (RDP) tools. Hancitor – also known as Chanitor or Tordal – enables a CobaltStrike beacon as a service on the victim’s network using a legitimate Windows service like PowerShell.
The ransomware downloads
pones.exe to steal the password and
krots.exe to allow the crims to write to the system TMP file. Once TMP is updated, the file executes in the compromised network. The TMP file then self-deletes thanks to API calls related to memory injection.
Then: voila – infected networks were communicating with a Montenegro-based malware repository URL.
The gang also used red-teaming tool/malware Mimikatz to harvest access credentials from memory, then used RDP to log in masquerading as a specific user account – meaning the miscreants could use the CobaltStrike server to communicate with the compromised user account. Meanwhile, a base64-encoded payload was loaded into memory, having been allocated memory space by one of the initial PowerShell script functions. The payload reached the remote command-and-control (C2) server where it can deploy the next stage of ransomware files.
The FBI has a list of indicators of compromise in its announcement [PDF].
While the FBI knows enough to offer the details above, it wants to discover more, and is keen for those affected to share their work.
“The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file,” said the intelligence bureau.
The Cuba group typically threatens to post sensitive files on the dark web if companies refuse the ransom. To reduce the risk of having to choose between exposed information and losing loads of cash, the FBI said network defenders should do all the normal stuff like strong, unique passwords, MFA, timely patching, remove unnecessary administrative shares and use a host-based firewall.
Segmenting networks, using monitoring tools to detect ransomware, timing out accounts, disabling command-line and scripting activities and permissions and taking care of backups was also recommended. ®