Cuba

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

The Cuba ransomware, a malicious software active since 2019, has been linked to a series of escalating attacks on US entities and European leaders. The criminal group behind the malware, known by various aliases such as Void Rabisu, UNC2596, Tropical Scorpius, and Storm-0978, has recently targeted women leaders within the European Union’s military and political circles. In addition, the number of US entities compromised by the Cuba ransomware has doubled since December 2021, according to federal agencies, with ransoms demanded and paid continually increasing. Notably, the Cuba ransomware gang claimed to have obtained sensitive financial and personal data from Montenegro’s parliament and California's Department of Motor Vehicles. The group is now launching attack campaigns designed to distribute an updated version of the RomCom RAT, named PEAPOD malware. This operation involves Cuba’s signature custom downloader, "BugHatch," which establishes communication with command-and-control (C2) servers to download DLL files or execute commands. Targets include critical infrastructure in the US, such as financial services, government facilities, healthcare and public health, critical manufacturing, and information technology sectors. Meanwhile, communication security in Cuba remains a significant concern. Described as "especially insecure," the SMS system in Cuba reportedly has an automatic system of "sensitive words." Independent journalists and activists have had to rely on private messaging apps like WhatsApp, Telegram, and VPN for secure communication, often playing a cat-and-mouse game with the government to prevent their devices from being seized. However, the Cuban government has found ways to disrupt or block these messages, leading to sudden internet access cuts for critics like journalist Henry Constantin, who works for La Hora de Cuba, a media site not aligned with the communist government.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Tropical Scorpius	2	Tropical Scorpius is a notorious malware, first identified in late 2020, associated with the Cuba ransomware gang. This malicious software has been linked to multiple cybercriminal activities, including disrupting operations, stealing personal information, and holding data hostage for ransom. The ma
Colddraw	1	Colddraw, also known as Cuba and Fidel ransomware, first emerged on the cybersecurity threat landscape in 2019. This malicious software has been strategically targeting a moderate pool of victims over the years, marking encrypted files for the ransomware's and its decryptor's identification. The mal
Void Rabisu	1	Void Rabisu, also known as Storm-0978, UNC2596, and Tropical Scorpius, is a malicious software (malware) notable for its use of the ROMCOM backdoor. This malware has been involved in numerous attacks, including those targeting attendees of the Women Political Leaders Summit (WPL Summit) in 2023. In
Unc2596	1	UNC2596, also known as Void Rabisu, Tropical Scorpius, and Storm-0978, is a hybrid threat actor involved in both financially motivated and espionage attacks. This group has been refining its tactics and techniques, utilizing backdoor attacks that have targeted various high-profile events, including

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Malware

Ransomware

Ransom

Vulnerability

Encryption

Downloader

Rat

Windows

Cybercrime

Antivirus

Apt

Poc

Facebook

Backdoor

Exploits

Loader

Trojan

exploited

Phishing

Bitcoin

Vpn

Expressvpn

Extortion

Lateral Move...

Payload

Evasive

Aws

RaaS

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Cuba Ransomware	Unspecified	4	The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once insi
Romcom Remote Access Trojan	Unspecified	2	The RomCom Remote Access Trojan (RAT) is a type of malware that has gained significant attention in the cybersecurity landscape this year. This malicious software, designed to exploit and damage computer systems, can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst
Cobalt Strike Beacon	Unspecified	2	Cobalt Strike Beacon is a type of malware known for its harmful capabilities, including stealing personal information, disrupting operations, and potentially holding data hostage for ransom. The malware has been loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an
RomCom	Unspecified	2	RomCom is a type of malware, specifically a Remote Access Trojan (RAT), that has been linked to several cyber-attacks across Europe and North America. It was first identified in spring 2022, when third-party and open-source reports highlighted a potential connection between Cuba ransomware actors, R
Romcom Rat	Unspecified	2	RomCom RAT, a type of malware, has been linked to Cuba ransomware and Industrial Spy ransomware actors since spring 2022. These malicious actors have been observed deploying the RomCom RAT and Meterpreter Reverse Shell HTTP/HTTPS proxy via a Command and Control (C2) server before initiating their ra
Fidel	Unspecified	1	Fidel is a form of malware, also known as Fidel ransomware or Colddraw, which is designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operation
Peapod	Unspecified	1	PEAPOD, a novel variant of the RomCom RAT malware, was discovered to have been used in targeted attacks against female political leaders who participated in the Women Political Leaders Summit in June. The threat operation responsible for these attacks is known as Void Rabisu, also referred to as Sto
Hancitor	Unspecified	1	Hancitor is a malicious software (malware) known for its ability to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once it gains access, Hancitor can steal personal information, disrupt operations, or e
Babuk	Unspecified	1	Babuk is a type of malware, specifically ransomware, which is designed to infiltrate systems and hold data hostage for ransom. It can be delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, Babuk can disrupt operations and steal perso

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Is Vendetta	Unspecified	1	V is Vendetta is a recently discovered vulnerability that appears to be associated with the notorious ransomware group known as Cuba (also referred to as COLDDRAW and Tropical Scorpius). The link between the two entities became apparent when it was found that V is Vendetta's website is hosted on the
V Is Vendetta	Unspecified	1	"V is Vendetta" has emerged as a new threat actor, identified in February of this year. This group appears to have connections with the notorious ransomware group known as Cuba (also referred to as COLDDRAW and Tropical Scorpius). The link between these two entities is evident from the fact that V i
FIN7	Unspecified	1	FIN7, a notorious threat actor group known for its malicious activities, has recently been identified as targeting a large U.S. carmaker with phishing attacks. This group, which has previously operated behind fake cybersecurity companies such as Combi Security and Bastion Secure to recruit security

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
CVE-2023-27532	Unspecified	2	CVE-2023-27532 is a high-severity vulnerability discovered in Veeam's Backup & Replication software. This flaw, disclosed in March 2023, can be exploited to breach backup infrastructure hosts. Despite its serious implications, it was not added to the Known Exploited Vulnerabilities (KEV) list until
Zerologon	Unspecified	2	Zerologon is a critical vulnerability (CVE-2020-1472) found within Microsoft's Netlogon Remote Protocol, impacting all versions of Windows Server OS from 2008 onwards. This flaw in software design or implementation allows attackers to bypass authentication mechanisms and change computer passwords wi
CVE-2020-1472	Unspecified	2	CVE-2020-1472, also known as the ZeroLogon vulnerability, is a critical-severity privilege escalation flaw in Microsoft's Netlogon Remote Protocol. It was patched by Microsoft on August 11, 2020. This vulnerability allows attackers to gain administrative access to a Windows domain controller without

Source Document References

Information about the Cuba Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	5 months ago	Cuba Cuts Internet, Surveils Calls of Journalists, Report Finds
CERT-EU	8 months ago	The Too-Weird-to-Be-Fiction Story of Cuba’s Spying Ambassador
CERT-EU	9 months ago	Google trending Ransomware news headlines for the day - Cybersecurity Insiders
CERT-EU	10 months ago	Kaspersky provides update on Cuba ransomware gang \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	10 months ago	Cuba Ransomware Gang Continues to Evolve With Dangerous Backdoor
CERT-EU	10 months ago	Cuba Ransomware Group Deploys New Malware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
InfoSecurity-magazine	10 months ago	Cuba Ransomware Group Unleashes Undetectable Malware
CERT-EU	10 months ago	Cuba Ransomware Group Unleashes Undetectable Malware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	10 months ago	From Caribbean shores to your devices: analyzing Cuba ransomware – GIXtools
CERT-EU	a year ago	Analyzing Cuba ransomware - Cyber Security Review
CERT-EU	a year ago	Decoding Cuba Ransomware: An opportunity for next-gen data governance
BankInfoSecurity	a year ago	Cuba Ransomware Exploits Veeam Vulnerability
CERT-EU	a year ago	'Cuba' Ransomware Group Uses Every Trick in the Book
CERT-EU	a year ago	Cuba ransomware group observed exploiting high-severity Veeam bug
CERT-EU	a year ago	Cuba Ransomware Group Exploiting Veeam Flaw in Latest Campaign
CERT-EU	a year ago	Cuba ransomware using Veeam exploit in attacks against critical infrastructure, IT firms
CERT-EU	a year ago	Cuba Ransomware Exploits Veeam Flaw, Targets U.S. and Latin American Entities
InfoSecurity-magazine	a year ago	Cuba Ransomware Group Steals Credentials Via Veeam Exploit
CERT-EU	a year ago	Cuba ransomware uses Veeam exploit against critical U.S. organizations
CERT-EU	a year ago	Cuba Ransomware Deploys New Tools: Targets Critical Infrastructure Sector in the U.S. and IT Integrator in Latin America