Cuba Ransomware

Malware updated 7 months ago (2024-05-04T19:33:10.191Z)
Download STIX
Preview STIX
The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once inside a system, it can steal personal information, disrupt operations, or hold data hostage for ransom. The FBI identified various tactics, techniques, and procedures (TTPs) used by Cuba ransomware actors as of August 2022. However, the exact threat group behind this malware remains unconfirmed, though similarities were observed with the TTPs of the Cuba Ransomware group around that time. In one notable incident, the Cuba ransomware gang claimed responsibility for an attack on Etron Technology, a company based in Taiwan. The stolen data included financial documents and tax information. This cybercriminal group has no relation to the country of Cuba. In another instance, they exploited a bug to target critical infrastructure organizations in the United States and IT firms in Latin America. The group has also been linked to a significant remote code execution (RCE) flaw in Windows Search, tracked as CVE-2023-36884, using geopolitical events such as the Ukrainian World Congress and July 2023 NATO summit as lures. Void Rabisu, another cyber threat group, has been associated with deploying Cuba ransomware, possibly exclusively. They use a mix of TTPs common to both cybercriminals and nation state-sponsored hackers. The group was detected exploiting the aforementioned RCE flaw in June, indicating a shift among some financial-seeking threat actors towards campaigns motivated by espionage due to extraordinary geopolitical circumstances, particularly the war in Ukraine.
Description last updated: 2024-05-04T16:31:43.507Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Tropical Scorpius is a possible alias for Cuba Ransomware. Tropical Scorpius, also known as Void Rabisu, Storm-0978, and UNC2596, is a significant threat actor in the cybersecurity landscape. Initially appearing on the radar in late 2020, the group gained notoriety for its deployment of Cuba ransomware and association with the RomCom backdoor. This maliciou
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Cuba
Exploit
Malware
Extortion
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The RomCom Malware is associated with Cuba Ransomware. The RomCom malware, a Remote Access Trojan (RAT), has been linked to Cuba ransomware actors and Industrial Spy ransomware actors, according to third-party and open-source reports. Since spring 2022, the Russian-speaking group UAT-5647, also known as RomCom, has targeted Ukrainian government entitiesUnspecified
3
The AvosLocker Malware is associated with Cuba Ransomware. AvosLocker is a type of malware, specifically ransomware, known for its malicious intent to exploit and damage computer systems. This software often infiltrates systems undetected through suspicious downloads, emails, or websites, subsequently causing disruption in operations, theft of personal infoUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Void Rabisu Threat Actor is associated with Cuba Ransomware. Void Rabisu, also known as Storm-0978, UNC2596, and Tropical Scorpius, is a malicious software (malware) notable for its use of the ROMCOM backdoor. This malware has been involved in numerous attacks, including those targeting attendees of the Women Political Leaders Summit (WPL Summit) in 2023. In has used
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Zerologon Vulnerability is associated with Cuba Ransomware. Zerologon, officially known as CVE-2020-1472, is a critical vulnerability within Microsoft's Netlogon Remote Protocol. This flaw allows attackers to bypass authentication mechanisms and alter computer passwords within a domain controller's Active Directory, enabling them to escalate privileges to doUnspecified
2
Source Document References
Information about the Cuba Ransomware Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
10 months ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
Securelist
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securelist
2 years ago
CERT-EU
a year ago
Checkpoint
a year ago
CERT-EU
a year ago
CERT-EU
a year ago