Is my host protected against Cuba Ransomware?
ransomware is a ransomware family that has been active since 2019 becoming a much more prevalent threat in 2022. The suspected group behind Cuba Ransomware uses a double extortion method, in which they not only demand a ransom payment to decrypt stolen data but also threaten to publicly release it if the ransom is not paid. The group has also set up a leak site to expose organizations that they claim to have compromised.
In addition to deploying ransomware, the group has used various tactics and tools to gain initial access to victim networks, including exploiting known vulnerabilities in commercial software such as Microsoft Exchange
, conducting phishing campaigns, and using compromised credentials. They have also used tools and techniques such as Kerberoasting
to elevate privileges on compromised systems and move laterally through networks before executing the ransomware. Cuba ransomware has been seen historically distributed through Hancitor
Is my host protected against Cuba ransomware? chain on each host in your environment to test if you are vulnerable.
This chain is configured to focus on Cuba ransomware's recent post-exploitation activities first by dumping user credentials using Mimikatz and then attempting to initiate a Remote Desktop Protocol (RDP) connection before attempting to exploit the ZeroLogon vulnerability to gain Domain Administrator privileges and ending with capturing and staging a series of screenshots prior to exfiltration.
To protect yourself from CUBA Ransomware, you should review CISA's mitigation recommendations and take appropriate measures to reduce the risk of compromise by Cuba ransomware available here.
Staying up to date
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Get our products
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Join our community
Read, watch, and listen
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
Follow our team