Cuba Ransomware

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once inside a system, it can steal personal information, disrupt operations, or hold data hostage for ransom. The FBI identified various tactics, techniques, and procedures (TTPs) used by Cuba ransomware actors as of August 2022. However, the exact threat group behind this malware remains unconfirmed, though similarities were observed with the TTPs of the Cuba Ransomware group around that time. In one notable incident, the Cuba ransomware gang claimed responsibility for an attack on Etron Technology, a company based in Taiwan. The stolen data included financial documents and tax information. This cybercriminal group has no relation to the country of Cuba. In another instance, they exploited a bug to target critical infrastructure organizations in the United States and IT firms in Latin America. The group has also been linked to a significant remote code execution (RCE) flaw in Windows Search, tracked as CVE-2023-36884, using geopolitical events such as the Ukrainian World Congress and July 2023 NATO summit as lures. Void Rabisu, another cyber threat group, has been associated with deploying Cuba ransomware, possibly exclusively. They use a mix of TTPs common to both cybercriminals and nation state-sponsored hackers. The group was detected exploiting the aforementioned RCE flaw in June, indicating a shift among some financial-seeking threat actors towards campaigns motivated by espionage due to extraordinary geopolitical circumstances, particularly the war in Ukraine.
What's your take? (Question 1 of 5)
736aa25f-ae73-4e6a-8511-9e9412426ae2 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Tropical Scorpius
3
Tropical Scorpius is a notorious malware, first identified in late 2020, associated with the Cuba ransomware gang. This malicious software has been linked to multiple cybercriminal activities, including disrupting operations, stealing personal information, and holding data hostage for ransom. The ma
Void Rabisu
2
Void Rabisu, also known as Storm-0978, UNC2596, and Tropical Scorpius, is a malicious software (malware) notable for its use of the ROMCOM backdoor. This malware has been involved in numerous attacks, including those targeting attendees of the Women Political Leaders Summit (WPL Summit) in 2023. In
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Exploit
Malware
Extortion
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CubaUnspecified
4
The Cuba ransomware, a malicious software active since 2019, has been linked to a series of escalating attacks on US entities and European leaders. The criminal group behind the malware, known by various aliases such as Void Rabisu, UNC2596, Tropical Scorpius, and Storm-0978, has recently targeted w
Romcom RatUnspecified
3
RomCom RAT, a type of malware, has been linked to Cuba ransomware and Industrial Spy ransomware actors since spring 2022. These malicious actors have been observed deploying the RomCom RAT and Meterpreter Reverse Shell HTTP/HTTPS proxy via a Command and Control (C2) server before initiating their ra
RomComUnspecified
3
RomCom is a type of malware, specifically a Remote Access Trojan (RAT), that has been linked to several cyber-attacks across Europe and North America. It was first identified in spring 2022, when third-party and open-source reports highlighted a potential connection between Cuba ransomware actors, R
AvosLockerUnspecified
2
AvosLocker is a type of malware, specifically a ransomware variant that has been on the radar of cybersecurity experts for some time. Ransomware is a form of malicious software designed to encrypt files on a victim's computer, making them inaccessible until a ransom is paid to the attacker. AvosLock
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ZerologonUnspecified
2
Zerologon is a critical vulnerability (CVE-2020-1472) found within Microsoft's Netlogon Remote Protocol, affecting Windows Server OS versions from 2008 up to the latest available. This flaw in software design or implementation enables attackers to elevate their privileges on compromised systems. The
Source Document References
Information about the Cuba Ransomware Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
6 months ago
Municipalities Face a Constant Battle as Ransomware Snowballs
InfoSecurity-magazine
7 months ago
New RomCom Backdoor Targets Female Political Leaders
CERT-EU
8 months ago
VerSprite CyberWatch
CERT-EU
7 months ago
Women Political Leaders Summit targeted in RomCom malware phishing
CERT-EU
10 months ago
"Big Game Hunting" and Geopolitics are Drivers in a Record Year of Ransomware Extortions
Recorded Future
a year ago
Semiconductor Companies Targeted by Ransomware | Recorded Future
CERT-EU
8 months ago
Kaspersky provides update on Cuba ransomware gang | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
9 months ago
Cuba ransomware group observed exploiting high-severity Veeam bug
CERT-EU
a year ago
It's 2023 and Sri Lanka lacks a cyber security authority
CERT-EU
9 months ago
Cuba ransomware gang looking for unpatched Veeam installations: Report | IT World Canada News
CISA
a year ago
#StopRansomware: Cuba Ransomware | CISA
CERT-EU
a year ago
FBI, CISA say Cuba ransomware gang extorted $60M from victims this year | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware - National Cyber Security Consulting
DARKReading
a year ago
RomCom Spies Target NATO Summit Ahead of Zelensky’s Arrival
CERT-EU
a year ago
Cuba ransomware believed to be Russian state-backed operation
CERT-EU
9 months ago
Cuba Ransomware Deploys New Tools: Targets Critical Infrastructure Sector in the U.S. and IT Integrator in Latin America
CERT-EU
a year ago
Microsoft Releases Patches for 132 Vulnerabilities, Including 6 Under Active Attack
CERT-EU
9 months ago
Cuba Ransomware Group Exploiting Veeam Flaw in Latest Campaign
CERT-EU
7 months ago
Veeam แจ้งเตือนช่องโหว่ระดับ critical บน Veeam ONE Monitoring Platform - Bangkok, Thailand | i-secure Co, Ltd.
CERT-EU
9 months ago
Cuba Ransomware Group Deploys New Malware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
9 months ago
Cuba ransomware uses Veeam exploit against critical U.S. organizations