Trend Micro Research analyzed a resurgence of the Cuba ransomware group with a new variant that uses optimized infection techniques, including a new staging downloader. The update also expands safelists, adds victim support features, and implements double extortion via a Tor site, signaling ongoing evolution of the campaign.— #CubaRansomware #BUGHATCH #Tor #quTox #Exfiltration
Keypoints
- Cuba ransomware reappeared with a new variant in March–April 2022 and is linked to updates that optimize execution and minimize unwanted side effects.
- The variant uses BUGHATCH, a custom downloader, specifically during the staging phase of the infection routine.
- The threat actor added a large set of processes/services to terminate (e.g., MySQL, MSSQLSERVER, sqlwriter.exe, vmcompute, MSExchange components) to hinder defenses or system availability during encryption.
- Directory and file extension safelists were expanded to avoid encrypting certain paths and extensions (e.g., .exe, .dll, .cuba).
- The latest ransom note indicates double extortion via a Tor onion site, threatening publication of exfiltrated data if negotiations fail.
- A new feature, quTox, provides technical support to victims to facilitate ransom negotiations.
- detections suggest Cuba ransomware infections will persist and evolve, with recommendations stressing CIS/NIST framework adoption for defense.
MITRE Techniques
- [T1105] Ingress Tool Transfer – The malware uses BUGHATCH, a custom downloader that the malicious actor did not employ in previous variants specifically for the staging phase of the infection routine. “the samples we examined in March and April used BUGHATCH, a custom downloader that the malicious actor did not employ in previous variants specifically for the staging phase of the infection routine.”
- [T1562.001] Impair Defenses – Termination of a broad set of processes and services to hinder operations during infection. “added some processes and services to terminate the following: … sqlwriter.exe … vmsp.exe”
- [T1497] Virtualization/Sandbox Evasion – Termination of virtualization-related processes to interfere with analysis or detection. “terminate the following: vmcompute … vmsp.exe”
- [T1562.001] Impair Defenses – Expanded safelist of directories and file extensions to avoid encryption. “Directory Safelist: … windows … Extension Safelist: .exe .dll … .cuba”
- [T1059] Command and Scripting Interpreter – The latest variant retained only two commands that are directory- or location-related: “local” and “network”. “The malicious actors only retained two commands … local … network.”
- [T1041] Exfiltration Over C2 Channel – Double extortion via exfiltration published on a Tor site; ransom note references data publication if negotiations fail. “they will publish exfiltrated data on their Tor site if the victims refuse to negotiate after three days.”
- [T1583] Acquire Capabilities – Introduction of quTox as a means for technical support to facilitate ransom negotiations. “quTox, a means for technical support to the ransomware victims to facilitate ransom payment negotiation.”
Indicators of Compromise
- [SHA256] 89288de628b402621007c7ebb289233e7568307fb12a33aac7e834504c17b4af – Trend Micro Detection: Ransom.Win32.BACUCRYPT.YPCD2T
- [File Extension] .cuba – used as part of the safelist indicating non-encryption handling for this extension
- [Process name] sqlwriter.exe, sqlservr.exe – listed among processes/services targeted for termination
- [Process name] vmcompute, vmms, vmwp.exe, vmsp.exe – virtualization-related processes terminated to evade analysis