CISA and the FBI issued a joint report on December 1, 2022, on the activities of the Russian ransomware group Cuba. Between December 2021 and August 2022, it attacked approximately 100 organizations, including government agencies, healthcare facilities, and financial institutions (its primary targets within the United States).
Cuba is also behind the spectacular attack that affected the government of Montenegro in August 2022. In France, in October 2022, the group paralyzed the IS of the town of Chaville (Hauts-de-Seine).
In 9 months, Cuba has received more than 60 million dollars in ransom money, out of a total demand of 145 million dollars. This is an excellent ratio considering that many states refuse to pay a single cent to pirates on principle.
“The number of U.S. entities compromised by the Cuba ransomware has doubled, and the ransoms demanded and paid are increasing,” warn CISA and the FBI.
From an operational point of view, Cuba uses known flaws in Microsoft products, phishing emails, or the Trojan horse Hancitor. The group practices double extortion, first demanding a ransom to restore the blocked servers, then a second one for not publishing stolen data.
CISA and the FBI have finally issued a call to provide them with any sensitive information about the group: communication exchanges, IP addresses, Bitcoin wallets, etc.