CISA Alert AA22-335A: Cuba Ransomware Analysis, Simulation, TTPs & IOCs

On December 1, 2022, CISA and FBI released a joint Cybersecurity Advisory (CSA) on Cuba ransomware [1]. Security researchers have track downed a new variant of the Cuba ransomware as Tropical Scorpius. This Cuba ransomware group mainly targets manufacturing, professional and legal services, financial services, construction, high technology, and healthcare sectors [2].

Picus Threat Library already had attack simulations for earlier variants of Cuba ransomware. Picus Labs swiftly added attack simulations for the newer variant of Cuba ransomware to Picus Threat Library. Now, you can test your security controls against Cuba ransomware attacks with Picus.

Start your 14-day free trial: Test your security against Cuba Ransomware!

Cuba Ransomware Group

The Cuba ransomware group started to show itself in early December 2019. Since then, developers of this ransomware have changed their Tactics, Techniques, and Procedures (TTPs) and tooling practices, making them one of the most prevalent threats of 2022. 

Security researchers of Palo Alto (Unit 42) tracked the threat actors behind the Cuba ransomware as Tropical Scorpius [2]. According to CISA, Cuba ransomware is usually distributed using the Hancitor malware through malicious attachments, working as a malware downloader. Cuba ransomware holders follow a double-extortion method, possibly inspired by the Maze and REvil actors, threatening their victims by publishing their sensitive information on their leak website.

The victimology reveals that Cuba ransomware group mainly target manufacturing, professional and legal services, financial services, construction, and high technology organizations in Europe, North America, and Asia. 

Cuba Ransomware Analysis and MITRE ATT&CK TTPs

Tactic: Initial Access

The ways of Cuba actors get initial access to their targets’ system show differences such as phishing campaigns (ATT&CK T1566), compromised valid account credentials (ATT&CK T1078), exploitation of known vulnerabilities in Microsoft Exchange Server such as ProxyShell and ProxyLogon (ATT&CK T1133), and built-in remote desktop protocol (RDP) tools. 

Tactic: Execution 

Upon getting the foothold, threat actors drop the Cuba ransomware and other malicious tools onto the target system using a malware loader (ATT&CK T1072), called Hancitor (a.k.a Chanitor or Tordal).

Tactic: Defense Evasion

Before deploying the ransomware, Tropical Scorpius leverage some tools and techniques to move across the compromised network without getting caught by the security controls. According to the Palo Alto researchers, Tropical Scorpius leverages a dropper (ATT&CK T1562.001) malware to write a kernel driver to the file system, ApcHelper.sys. 

First, the dropper deletes the file path of ApcHelper.sys through cmd.exe.

Second, it creates a new service for the kernel driver.

Finally, the dropper copies the kernel driver onto the file type to terminate the processes of the security products such as Sophos, ALsvc, HMPAlert, McsAgent, SAVAAdminService, SapApi, SavService, SEDService, SSPService.

Further analysis reveals that while the dropper did not have any digital signature, adversaries signed the kernel driver with the RSA-SHA1 signature suit using the certificate leaked by the Lapsus$ threat actor in their NVIDIA [3] attack campaign. 

Tactic: Privilege Escalation (Local)

To escalate their privileges, Tropical Scorpius used PowerShell’s Invoke-WebRequest cmdlet to send HTTPS requests to a web page, tmpfiles[.]org. Upon that request, adversaries downloaded a malicious binary exploiting the CVE-2022-24521 vulnerability (a logic bug) in the Common Log File System (CLFS). This vulnerability allowed the attackers to perform code execution on the target system and elevate their privileges by using the stolen System tokens (ATT&CK T1134.001). 

Tactic: Lateral Movement

In addition to the malicious binary I talked about, Cuba ransomware group downloaded the ADNet and Net Scan tools from tmpfiles[.]org using the same PowerShell cmdlet. Then, it runs a particular PowerShell script, GetUserSPNs.ps1, to identify which user accounts are used as service accounts. This is believed to be done to find out which user accounts are worth to be targeted for their Active Directory Kerberos ticket. Identifying these user accounts, attackers collected Kerberos tickets and cracked them offline using various tools via Kerberosting (ATT&CK T1558.003). 

In another scenario, adversaries leveraged another technique for credential theft. This time, Tropical Scorpius used a custom hacktool, which is named KerberCache by Unit 42, matching the functionality of the hacktool. This tool was used to extract the cached Kerberos tickets from a host’s Local Security Authority Server Service (LSASS) memory (ATT&CK T1003.001). Upon retrieving the cached Kerberos tickets, tickets are passed to a function to get encoded in Base64 and get written into the working directory from which the KerberCache is executed. 

Figure 2. KerberCache is extracting Kerberos information [2].

Tactic: Privilege Escalation (Remote)

Tropical Scorpius downloaded another tool called Domain Admin from tmpfiles[.]org site using the Invoke-WebRequest cmdlet. The tool was masqueraded by a fake name, Filezilla. Analysis shows that in order to avoid and/or slow down the reverse engineering process, the Domain Admin tool was packed using the Anti-VM features of Themida. If it gets executed in a virtual machine, an alert pops up saying, “Sorry, this application cannot run under a Virtual Machine.” 

Another hacktool leveraged by the Cuba holders is the ZeroLogon hacktool. Attackers used the ZeroLogon to exploit the CVE-2020-1472 vulnerability to gain Domain Administrative privileges (ATT&CK T1068). It is important to note that the ZeroLogon tool has become quite popular among other malware families. In fact, it is reported to be related to Hancitor and Qbot.  

Tactic: Command and Control

Prior to the deployment of the Cuba ransomware and encryption process, adversaries deployed a custom Remote Access Trojan (RAT)/backdoor called RomCom RAT that contains a unique C2 protocol. 

In addition, they deployed Meterpreter Reverse Shell HTTP/HTTPS proxy for network communication between the C2 server and the target host (ATT&CK T1090).

Tactic: Impact

Even though Tropical Scorpius threat actors are continuously developing and updating their TTPs and tooling, the Cuba Ransomware payload has not changed much. Payload still uses the ChaCha encryption algorithm for file encryption and the asymmetric encryption algorithm RSA for key encryption. Each encrypted file is prepended with a header containing the magic value FIDEL.CA.

Figure 3. FIDEL.CA magic value in an encrypted file’s 1024-byte header [2].

Below, you can find the terminated services and processes and the directories avoided by the Cuba ransomware on the run time.

After the encryption, a ransom note gets dropped onto the target’s machine, instructing their victim how to communicate with them. 

Figure 4. A ransom note dropped by the Cuba Ransomware [1].

How is Cuba Ransomware Related to Industrial Spy Market?

In May 2022, security researchers reported that a dark web forum called Industrial Spy, famous for selling stolen data of breached organizations has announced that it is moving into a Ransomware-as-a-Service (RaaS) model [4]. Further analysis shows that the ransom note used by the Industrial Spy uses the same contact information as Cuba ransomware does. It is also observed that Cuba uses the Industrial Spy to sell the data that is exfiltrated from their victim’s systems.

For now, even though the link between the Cuba ransomware and the Industrial Spy is unclear, security researchers believe that there is more than what we see on the surface [2].

How Picus Helps Simulate Cuba Ransomware Attacks?

Picus Labs already had threats for the Cuba ransomware used in the attack campaign that happened in 2021. 

Now, the Picus Threat Library includes the latest variant of Cuba ransomware. We strongly suggest simulating Cuba ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus Complete Security Validation Platform. You can test your defenses against Cuba ransomware and many other ransomware families within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Cuba ransomware: 

Indicators of Compromises (IOCs)

References

[1] “#StopRansomware: Cuba Ransomware”. https://www.cisa.gov/uscert/sites/default/files/publications/aa22-335a-stopransomware-cuba-ransomware.pdf. [Accessed: Dec. 08, 2022]

[2] D. Santos, “Novel News on Cuba Ransomware: Greetings From Tropical Scorpius,” Unit 42, Aug. 09, 2022.  https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/. [Accessed: Dec. 07, 2022]

[3] Unit, “Threat Brief: Lapsus$ Group,” Unit 42, Mar. 24, 2022. https://unit42.paloaltonetworks.com/lapsus-group/. [Accessed: Dec. 07, 2022]

[4] L. Abrams, “Industrial Spy data extortion market gets into the ransomware game,” BleepingComputer, May 26, 2022.  https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/. [Accessed: Dec. 07, 2022]