Cuba

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
The Cuba ransomware, a malicious software active since 2019, has been linked to a series of escalating attacks on US entities and European leaders. The criminal group behind the malware, known by various aliases such as Void Rabisu, UNC2596, Tropical Scorpius, and Storm-0978, has recently targeted women leaders within the European Union’s military and political circles. In addition, the number of US entities compromised by the Cuba ransomware has doubled since December 2021, according to federal agencies, with ransoms demanded and paid continually increasing. Notably, the Cuba ransomware gang claimed to have obtained sensitive financial and personal data from Montenegro’s parliament and California's Department of Motor Vehicles. The group is now launching attack campaigns designed to distribute an updated version of the RomCom RAT, named PEAPOD malware. This operation involves Cuba’s signature custom downloader, "BugHatch," which establishes communication with command-and-control (C2) servers to download DLL files or execute commands. Targets include critical infrastructure in the US, such as financial services, government facilities, healthcare and public health, critical manufacturing, and information technology sectors. Meanwhile, communication security in Cuba remains a significant concern. Described as "especially insecure," the SMS system in Cuba reportedly has an automatic system of "sensitive words." Independent journalists and activists have had to rely on private messaging apps like WhatsApp, Telegram, and VPN for secure communication, often playing a cat-and-mouse game with the government to prevent their devices from being seized. However, the Cuban government has found ways to disrupt or block these messages, leading to sudden internet access cuts for critics like journalist Henry Constantin, who works for La Hora de Cuba, a media site not aligned with the communist government.
What's your take? (Question 1 of 5)
37ab06d7-d768-4d4c-951b-e5281f9c1abd Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Tropical Scorpius
2
Tropical Scorpius is a notorious malware, first identified in late 2020, associated with the Cuba ransomware gang. This malicious software has been linked to multiple cybercriminal activities, including disrupting operations, stealing personal information, and holding data hostage for ransom. The ma
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Exploit
Rat
Vulnerability
Downloader
Encryption
Ransom
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Cuba RansomwareUnspecified
4
The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once insi
RomComUnspecified
2
RomCom is a type of malware, specifically a Remote Access Trojan (RAT), that has been linked to several cyber-attacks across Europe and North America. It was first identified in spring 2022, when third-party and open-source reports highlighted a potential connection between Cuba ransomware actors, R
Romcom RatUnspecified
2
RomCom RAT, a type of malware, has been linked to Cuba ransomware and Industrial Spy ransomware actors since spring 2022. These malicious actors have been observed deploying the RomCom RAT and Meterpreter Reverse Shell HTTP/HTTPS proxy via a Command and Control (C2) server before initiating their ra
Cobalt Strike BeaconUnspecified
2
Cobalt Strike Beacon is a type of malware, malicious software designed to exploit and damage computer systems. It has recently been linked to ransomware activity, being loaded by HUI Loader under various names such as mpc.tmp, dlp.ini, vmtools.ini, and an encrypted version under vm.cfg. This malware
Romcom Remote Access TrojanUnspecified
2
The RomCom Remote Access Trojan (RAT) is a type of malware that has gained significant attention in the cybersecurity landscape this year. This malicious software, designed to exploit and damage computer systems, can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ZerologonUnspecified
2
Zerologon is a critical vulnerability (CVE-2020-1472) found within Microsoft's Netlogon Remote Protocol, affecting Windows Server OS versions from 2008 up to the latest available. This flaw in software design or implementation enables attackers to elevate their privileges on compromised systems. The
CVE-2020-1472Unspecified
2
CVE-2020-1472, also known as the ZeroLogon vulnerability, is a critical-severity privilege escalation flaw in Microsoft's Netlogon Remote Protocol. It was patched on August 11, 2020. This vulnerability allows attackers to gain administrative access to a Windows domain controller without any authenti
CVE-2023-27532Unspecified
2
CVE-2023-27532 is a high-severity vulnerability discovered in Veeam's Backup & Replication software. This flaw, disclosed in March 2023, can be exploited to breach backup infrastructure hosts. Despite its serious implications, it was not added to the Known Exploited Vulnerabilities (KEV) list until
Source Document References
Information about the Cuba Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CISA
a year ago
#StopRansomware: Cuba Ransomware | CISA
CISA
a year ago
#StopRansomware: Cuba Ransomware | CISA
CERT-EU
9 months ago
Cuba Ransomware Deploys New Tools: Targets Critical Infrastructure Sector in the U.S. and IT Integrator in Latin America
CERT-EU
6 months ago
The Too-Weird-to-Be-Fiction Story of Cuba’s Spying Ambassador
CERT-EU
9 months ago
From Caribbean shores to your devices: analyzing Cuba ransomware – GIXtools
CERT-EU
a year ago
FBI, CISA say Cuba ransomware gang extorted $60M from victims this year | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware - National Cyber Security Consulting
CERT-EU
a year ago
Does Surfshark Work in Cuba? (2023 Update)
CERT-EU
9 months ago
Cuba Ransomware Exploits Veeam Flaw, Targets U.S. and Latin American Entities
CERT-EU
9 months ago
Cuba Ransomware Group Exploiting Veeam Flaw in Latest Campaign
CERT-EU
9 months ago
Cuba ransomware uses Veeam exploit against critical U.S. organizations
CERT-EU
9 months ago
'Cuba' Ransomware Group Uses Every Trick in the Book
CERT-EU
9 months ago
Cuba Ransomware Group Deploys New Malware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
9 months ago
Cuba ransomware group observed exploiting high-severity Veeam bug
CERT-EU
9 months ago
Cuba Ransomware Armed with New Weapons to Attack U.S Infrastructure
InfoSecurity-magazine
9 months ago
Cuba Ransomware Group Unleashes Undetectable Malware
InfoSecurity-magazine
9 months ago
Cuba Ransomware Group Steals Credentials Via Veeam Exploit
BankInfoSecurity
9 months ago
Cuba Ransomware Exploits Veeam Vulnerability
CERT-EU
3 months ago
Cuba Cuts Internet, Surveils Calls of Journalists, Report Finds
CERT-EU
9 months ago
Decoding Cuba Ransomware: An opportunity for next-gen data governance
CERT-EU
8 months ago
Cuba Ransomware Gang Continues to Evolve With Dangerous Backdoor