Cuba ransomware analysis by TredMicro

Trend Micro has observed a resurgence of Cuba ransomware activity in March and April 2022. It included a new variant that contained updates to the binary – particularly its downloader – that is believed to enhance efficiency, minimize unwanted system behavior, and even provide technical support to victims in case of negotiations.

Cuba ransomware has an extensive infrastructure and uses many tools in its arsenal. These include Windows utilities such as Remote Desktop Protocol (RDP), Server Message Block (SMB), and PsExec, which it combines with popular tools like Cobalt Strike (for lateral movement and C&C communications) and Mimikatz (for dumping credentials).

It also exploits several vulnerabilities during the infection process. For example, it abuses the ProxyShell and ProxyLogon vulnerabilities for initial access, while leveraging an Avast driver vulnerability (C:\windows\temp\aswArPot.sys) as part of its antivirus-disabling routine.

Note that, despite its name, Cuba ransomware seems to originate from Russia, as evidenced by its routine of terminating itself when a Russian keyboard layout or language is detected on the system.

Reference URL(s)

  2. AA22-335A: #StopRansomware: Cuba Ransomware
Cuba ransomware analysis by TredMicro
Scroll to top