operator
ChainsTTPsBlogLogin
menu
Prelude chain browser

Is my host protected against Cuba Ransomware?

A chain that is configured to focus on Cuba ransomware's recent post-exploitation activities first by dumping user credentials using Mimikatz and then attempting to initiate a Remote Desktop Protocol (RDP) connection before attempting to exploit the ZeroLogon vulnerability to gain Domain Administrator privileges and ending with capturing and staging a series of screenshots prior to exfiltration.

2022-12-27

/static/assets/windows-logo.svg
Professional
This is a professional attack chain. A professional subscription automatically gives you access to this chain + 50 more, with direct integration inside of Operator.info
Authors:mitre, khyberspache, privateducky, vvx7

Is my host protected against Cuba Ransomware?

CUBA ransomware is a ransomware family that has been active since 2019 becoming a much more prevalent threat in 2022. The suspected group behind Cuba Ransomware uses a double extortion method, in which they not only demand a ransom payment to decrypt stolen data but also threaten to publicly release it if the ransom is not paid. The group has also set up a leak site to expose organizations that they claim to have compromised.
In addition to deploying ransomware, the group has used various tactics and tools to gain initial access to victim networks, including exploiting known vulnerabilities in commercial software such as Microsoft Exchange, conducting phishing campaigns, and using compromised credentials. They have also used tools and techniques such as Kerberoasting to elevate privileges on compromised systems and move laterally through networks before executing the ransomware. Cuba ransomware has been seen historically distributed through Hancitor and Qbot.

Testing

Execute Operator’s Is my host protected against Cuba ransomware? chain on each host in your environment to test if you are vulnerable.

This chain is configured to focus on Cuba ransomware's recent post-exploitation activities first by dumping user credentials using Mimikatz and then attempting to initiate a Remote Desktop Protocol (RDP) connection before attempting to exploit the ZeroLogon vulnerability to gain Domain Administrator privileges and ending with capturing and staging a series of screenshots prior to exfiltration.

Remediation

To protect yourself from CUBA Ransomware, you should review CISA's mitigation recommendations and take appropriate measures to reduce the risk of compromise by Cuba ransomware available here.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Waseem: https://twitter.com/gerbsec

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator

TTPs

Dump LSASS credentials using MimiKatz
Initiate RDP connection
Exploit ZeroLogon vulnerability to gain Domain Admin
Grab a series of desktop screenshots

Tags

apt29, menupass

Tactics

Other chains in this theme
Is this host protected from LockBit?

2022-12-06

/static/assets/windows-logo.svg
Is this host protected from LockBit?
CSwipe

2022-01-04

/static/assets/linux-logo.svg
Deploy a custom payload to achieve ransomware without using traditional encryption.
S(C)wipe

2021-12-28

/static/assets/apple-logo.svg
Deploy a custom payload to achieve ransomware without using traditional encryption.
Windows LotL Ransomware

2021-12-21

/static/assets/windows-logo.svg
Deploy a Windows live-off-the-land ransomware attack.
Linux LotL Ransomware

2021-12-14

/static/assets/linux-logo.svg
Deploy a linux live-off-the-land ransomware attack.
Ransomware

2021-08-10

/static/assets/windows-logo.svg/static/assets/linux-logo.svg/static/assets/apple-logo.svg
Deploy a safe cross-platform ransomware attack.
About PreludePrelude hardens an organization's defenses by continuously “asking” it questions through the form of safe cyberattacks. These attacks respond immediately to the latest vulnerabilities and cyber events, turning complex technical descriptions into deployable “questions”.Our mission is to increase the reach, frequency and usage of advanced security for all organizations.
twitterFollow @preludeorg on Twitter for new chains and more.
discordJoin the Prelude Discord to discuss chains and more.
githubKeep up to date with code changes and community activity on Github
operator
preludesecurity.comCareersTactics & TechniquesAttack themes
Privacy Policysupport@preludesecurity.com© 2023 Prelude Research, Inc.All rights reserved. Prelude, its logo and other trademarks are trademarks of Prelude Research, Inc. and may not be used without permission.