Cuba Ransomware

Malware updated 4 months ago (2024-05-04T19:33:10.191Z)

Download STIX

Preview STIX

The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once inside a system, it can steal personal information, disrupt operations, or hold data hostage for ransom. The FBI identified various tactics, techniques, and procedures (TTPs) used by Cuba ransomware actors as of August 2022. However, the exact threat group behind this malware remains unconfirmed, though similarities were observed with the TTPs of the Cuba Ransomware group around that time. In one notable incident, the Cuba ransomware gang claimed responsibility for an attack on Etron Technology, a company based in Taiwan. The stolen data included financial documents and tax information. This cybercriminal group has no relation to the country of Cuba. In another instance, they exploited a bug to target critical infrastructure organizations in the United States and IT firms in Latin America. The group has also been linked to a significant remote code execution (RCE) flaw in Windows Search, tracked as CVE-2023-36884, using geopolitical events such as the Ukrainian World Congress and July 2023 NATO summit as lures. Void Rabisu, another cyber threat group, has been associated with deploying Cuba ransomware, possibly exclusively. They use a mix of TTPs common to both cybercriminals and nation state-sponsored hackers. The group was detected exploiting the aforementioned RCE flaw in June, indicating a shift among some financial-seeking threat actors towards campaigns motivated by espionage due to extraordinary geopolitical circumstances, particularly the war in Ukraine.

Description last updated: 2024-05-04T16:31:43.507Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Tropical Scorpius	3	Tropical Scorpius is a notorious malware, first identified in late 2020, associated with the Cuba ransomware gang. This malicious software has been linked to multiple cybercriminal activities, including disrupting operations, stealing personal information, and holding data hostage for ransom. The ma
Void Rabisu	2	Void Rabisu, also known as Storm-0978, UNC2596, and Tropical Scorpius, is a malicious software (malware) notable for its use of the ROMCOM backdoor. This malware has been involved in numerous attacks, including those targeting attendees of the Women Political Leaders Summit (WPL Summit) in 2023. In

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Exploit

Malware

Extortion

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Cuba	Unspecified	4	The Cuba ransomware, a malicious software active since 2019, has been linked to a series of escalating attacks on US entities and European leaders. The criminal group behind the malware, known by various aliases such as Void Rabisu, UNC2596, Tropical Scorpius, and Storm-0978, has recently targeted w
Romcom Rat	Unspecified	3	RomCom RAT, a type of malware, has been linked to Cuba ransomware and Industrial Spy ransomware actors since spring 2022. These malicious actors have been observed deploying the RomCom RAT and Meterpreter Reverse Shell HTTP/HTTPS proxy via a Command and Control (C2) server before initiating their ra
RomCom	Unspecified	3	RomCom is a type of malware, specifically a Remote Access Trojan (RAT), that has been linked to several cyber-attacks across Europe and North America. It was first identified in spring 2022, when third-party and open-source reports highlighted a potential connection between Cuba ransomware actors, R
AvosLocker	Unspecified	2	AvosLocker is a type of malware, specifically ransomware, known for its malicious intent to exploit and damage computer systems. This software often infiltrates systems undetected through suspicious downloads, emails, or websites, subsequently causing disruption in operations, theft of personal info

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
Zerologon	Unspecified	2	Zerologon, also known as CVE-2020-1472, is a critical vulnerability within Microsoft's Netlogon Remote Protocol that affects all versions of Windows Server OS from 2008 onwards. The flaw allows attackers to bypass authentication mechanisms and alter computer passwords within a domain controller's Ac

Source Document References

Information about the Cuba Ransomware Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	7 months ago	Feds Warn Healthcare Sector of ScreenConnect Threats
CERT-EU	9 months ago	Municipalities Face a Constant Battle as Ransomware Snowballs \| #ransomware \| #cybercrime \| National Cyber Security Consulting
DARKReading	9 months ago	Municipalities Face a Constant Battle as Ransomware Snowballs
CERT-EU	9 months ago	Cybersecurity attack steals Rock County Human Services info \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
Securelist	9 months ago	Kaspersky malware report for Q3 2023
CERT-EU	10 months ago	Orgs still losing logs, powerless to speedy ransomware
CERT-EU	10 months ago	Veeam แจ้งเตือนช่องโหว่ระดับ critical บน Veeam ONE Monitoring Platform - Bangkok, Thailand \| i-secure Co, Ltd.
CERT-EU	10 months ago	Veeam warns of critical bugs in Veeam ONE monitoring platform
BankInfoSecurity	a year ago	Women Political Leaders Targeted With RomCom RAT Variant
CERT-EU	a year ago	RomCom Malware Group Targets EU Gender Equality Summit
InfoSecurity-magazine	a year ago	New RomCom Backdoor Targets Female Political Leaders
CERT-EU	a year ago	Women Political Leaders Summit targeted in RomCom malware phishing
CERT-EU	a year ago	New PEAPOD Cyberattack Campaign Targeting Women Political Leaders
CERT-EU	a year ago	Russia-Linked RomCom Hackers Targeting NATO Summit Guests
CERT-EU	a year ago	It's 2023 and Sri Lanka lacks a cyber security authority
Securelist	a year ago	Overview of ransomware trends in 2023
CERT-EU	a year ago	Microsoft Releases Patches for 132 Vulnerabilities, Including 6 Under Active Attack
Checkpoint	a year ago	9th October – Threat Intelligence Report - Check Point Research
CERT-EU	a year ago	Kaspersky provides update on Cuba ransomware gang \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	Cuba ransomware attack hits Wisconsin county's health department