Two sentences highlighting the Cuba ransomware gang’s evolution, extortion-driven operations, and a diverse toolkit that blends public and custom malware with exploit-driven intrusion. It covers their use of BYOVD, Exchange/Veeam vulnerability chaining, and a multi-stage attack chain across global victims. Hashtags: #CubaRansomware #Burntcigar #Bughatch #Veeamp #CobaltStrike #BYOVD #ProxyShell #ProxyLogon
Keypoints
- The Cuba ransomware gang operates as a ransomware‑as‑a‑service (RaaS) with aliases such as ColdDraw, Tropical Scorpius, Fidel, Cuba, and more recently “V IS VENDETTA.”
- Victims span oil, financial services, government, healthcare, retailers, and more across the United States, Canada, Europe, and other regions.
- The group uses a classic double extortion model (encryption plus data theft) and relies on hybrid encryption (Xsalsa20 + RSA-2048).
- Initial access often leverages software vulnerabilities (ProxyShell/ProxyLogon) and compromised Remote Desktop Protocol (RDP) connections; they also target Veeam vulnerabilities.
- Arsenal includes both widely used credential tools (Mimikatz, PowerShell, PsExec, RDP) and custom malware families (Bughatch, Burntcigar, Veeamp, Wedgecut, RomCOM RAT).
- The operation features multi-stage payloads, including BYOVD (Bring Your Own Vulnerable Driver) to gain kernel‑level control and sophisticated persistence mechanisms like new user creation and registry modifications.
- New samples and ongoing activity show evolving techniques (encrypted process lists in Burntcigar, GoToAssist file transfers, and Cobalt Strike beacons) and continued exploitation of Exchange and backup services; threat intelligence and MDR play key roles in detection and response.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – ProxyShell and ProxyLogon used for attacking Exchange servers by exploiting vulnerabilities in software used by victim companies. Quote: ‘exploitation of software vulnerabilities… ProxyShell and ProxyLogon for attacking Exchange servers’.
- [T1133] External Remote Services – Initial access via compromised Remote Desktop (RDP) connections. Quote: ‘compromised remote desktop (RDP) connections for initial access.’
- [T1021.001] Remote Services – Lateral movement and access via Remote Desktop Protocol and PsExec. Quote: ‘PowerShell’, ‘PsExec’, ‘Remote Desktop Protocol’ appear in the arsenal.
- [T1059.001] PowerShell – Use of PowerShell among credential and execution tools. Quote: ‘PowerShell’ is listed as part of the tools.
- [T1136] Create Account – NetUserAdd to create a new user account for persistence. Quote: ‘NetUserAdd to create the user.’
- [T1543.003] Windows Service – Creating a kernel service via sc.exe to load a vulnerable driver. Quote: ‘sc.exe utility to create a service named “aswSP_ArPot2”…’
- [T1068] Exploitation for Privilege Escalation – BYOVD using legitimate signed drivers with security holes to run actions at kernel level. Quote: ‘Bring Your Own Vulnerable Driver (BYOVD) is a type of attack where the bad actor uses legitimate signed drivers…’
- [T1027] Obfuscated/Compressed Files and Information – Data about targeted processes to be terminated is encrypted in Burntcigar samples. Quote: ‘all data about processes to be terminated is encrypted.’
- [T1041] Exfiltration Over C2 Channel – Data exfiltration via HTTP POST to a C2 server. Quote: ‘sends it back to the server in the form of an HTTP POST request.’
Indicators of Compromise
- [Domain] Onion domain used for C2/command and control – test.cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion
- [File Name] Staging/loader artifacts – aswarpot.sys, KK.exe
- [Dynamic Library] Bughatch component – komar65.dll, addp.dll
- [Batch Script] Stager batch script – av.bat
- [Batch/Helper] File used for file transfer between hosts – gotoassistui.exe
- [Credential] Privileged account credential – SqlDbAdmin (account observed on Exchange server)