Cuba

Country / Region updated 24 days ago (2024-09-24T08:16:41.420Z)
Download STIX
Preview STIX
The Cuba ransomware, a malicious software active since 2019, has been linked to a series of escalating attacks on US entities and European leaders. The criminal group behind the malware, known by various aliases such as Void Rabisu, UNC2596, Tropical Scorpius, and Storm-0978, has recently targeted women leaders within the European Union’s military and political circles. In addition, the number of US entities compromised by the Cuba ransomware has doubled since December 2021, according to federal agencies, with ransoms demanded and paid continually increasing. Notably, the Cuba ransomware gang claimed to have obtained sensitive financial and personal data from Montenegro’s parliament and California's Department of Motor Vehicles. The group is now launching attack campaigns designed to distribute an updated version of the RomCom RAT, named PEAPOD malware. This operation involves Cuba’s signature custom downloader, "BugHatch," which establishes communication with command-and-control (C2) servers to download DLL files or execute commands. Targets include critical infrastructure in the US, such as financial services, government facilities, healthcare and public health, critical manufacturing, and information technology sectors. Meanwhile, communication security in Cuba remains a significant concern. Described as "especially insecure," the SMS system in Cuba reportedly has an automatic system of "sensitive words." Independent journalists and activists have had to rely on private messaging apps like WhatsApp, Telegram, and VPN for secure communication, often playing a cat-and-mouse game with the government to prevent their devices from being seized. However, the Cuban government has found ways to disrupt or block these messages, leading to sudden internet access cuts for critics like journalist Henry Constantin, who works for La Hora de Cuba, a media site not aligned with the communist government.
Description last updated: 2024-05-04T16:32:00.950Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Tropical Scorpius is a possible alias for Cuba. Tropical Scorpius is a notorious malware, first identified in late 2020, associated with the Cuba ransomware gang. This malicious software has been linked to multiple cybercriminal activities, including disrupting operations, stealing personal information, and holding data hostage for ransom. The ma
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Malware
Ransomware
Vulnerability
Encryption
Downloader
Rat
Ransom
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Cuba Ransomware Malware is associated with Cuba. The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once insiUnspecified
4
The RomCom Malware is associated with Cuba. The RomCom malware, a malicious software that has been active since 2022, is an ongoing cyber threat. This Remote Access Trojan (RAT) is known for its various harmful activities including ransomware attacks, extortion, and targeted credential gathering, primarily aimed at supporting intelligence-gatUnspecified
2
The Cobalt Strike Beacon Malware is associated with Cuba. Cobalt Strike Beacon is a type of malware that has been linked to various ransomware activities. This malicious software has been loaded by HUI Loader in several instances, with different files such as mpc.tmp, dlp.ini, and vmtools.ini being used. A unique feature of this Cobalt Strike Beacon shellcUnspecified
2
The Romcom Remote Access Trojan Malware is associated with Cuba. The RomCom Remote Access Trojan (RAT) is a harmful malware that has been evolving and causing significant threats to cybersecurity. Based on the RomCom 3.0 version, it incorporates techniques seen in RomCom 4.0, resulting in the creation of RomCom 5.0. This malware can infiltrate systems via suspiciUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2020-1472 Vulnerability is associated with Cuba. CVE-2020-1472, also known as the Zerologon vulnerability, is a critical-severity flaw in Microsoft's Netlogon Remote Protocol. The vulnerability allows attackers to gain administrative access to a Windows domain controller without any authentication, effectively giving them control over a network. TUnspecified
2
The CVE-2023-27532 Vulnerability is associated with Cuba. CVE-2023-27532 is a high-severity vulnerability found in the Veeam Backup & Replication software. This flaw, discovered and disclosed in March 2023, allows unauthenticated attackers to breach backup infrastructure hosts, posing significant risk to small and midsize businesses (SMBs) that commonly usUnspecified
2
The Zerologon Vulnerability is associated with Cuba. Zerologon (CVE-2020-1472) is a critical elevation of privilege vulnerability within Microsoft’s Netlogon Remote Protocol. This flaw in software design or implementation allows attackers to bypass authentication mechanisms and alter computer passwords within a domain controller's Active Directory, thUnspecified
2
Source Document References
Information about the Cuba Country / Region was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
8 months ago
CERT-EU
10 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago