Getty Images/iStockphoto

CISA, FBI Alert Healthcare Sector of Cuba Ransomware Tactics

The Cuba ransomware group has collected over $60M in ransom payments and comprised more than 100 critical infrastructure organizations, including many within the healthcare sector.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory to warn critical infrastructure organizations of tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Cuba ransomware.

The FBI and CISA have observed threat actors using Cuba ransomware from November 2019 through August 2022, pursuing attacks against financial services, government facilities, technology companies, manufacturers, and healthcare organizations.

As of August 2022, Cuba ransomware actors have victimized more than 100 companies globally, demanded nearly $145 million, and raked in more than $60 million in ransom payments. According to the advisory report, the number of attacks had doubled since December, when the FBI released a flash alert to organizations about Cuba ransomware actors.

Threat actors typically use commercial software vulnerabilities, compromised credentials, phishing emails, or legitimate Remote Desktop Protocol (RDP) tools to gain access to networks. 

However, the cybersecurity advisory report noted, “Since spring 2022, Cuba ransomware actors have modified their TTPs and tools to interact with compromised networks and extort payments from victims.”

Recent third-party and open-source reports have linked Cuba ransomware actors with RomCom Remote Access Trojan (RAT) actors and Industrial Spy ransomware actors.

“After gaining initial access, the actors distributed Cuba ransomware on compromised systems through Hancitor—a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims’ networks,” the advisory stated.

As of this spring, Cuba ransomware actors started leveraging RomCom malware, a custom RAT, for command and control (C2) to exploit CVE-2022-24521 in the Windows Common Log File System (CLFS), stealing system tokens and elevating privileges.

“Cuba ransomware actors may also be leveraging Industrial Spy ransomware,” the report stated.  “According to third-party reporting, suspected Cuba ransomware actors compromised a foreign healthcare company.

“The threat actors deployed Industrial Spy ransomware, which shares distinct similarities in configuration to Cuba ransomware. Before deploying the ransomware, the actors moved laterally using Impacket and deployed the RomCom RAT and Meterpreter Reverse Shell HTTP/HTTPS proxy via a C2 serve.”

To evade detection before executing Cuba ransomware, the threat actors leverage a dropper that writes a kernel driver to the file system called ApcHelper.sys and terminates security products.

In other cases, threat actors have used “double extortion” methods to withdraw victim data, request ransom payments to decrypt it, and threaten to publicly release the data if a ransom payment is paid.

In addition to learning about indicators of compromise and threat attacker techniques, the FBI and CISA recommended that all potential victims employ numerous mitigations to defend their networks and reduce the risk of compromise.

The advisory stated that all critical infrastructure industries, including healthcare organizations, should implement a recovery plan, require multifactor authentication (MFA), and keep all operating systems, software, and firmware up to date.

The federal bodies also urged organizations to comply with the National Institute for Standards and Technology (NIST) standards for developing and managing password policies.

In addition, the advisory encouraged industries to implement network segmentation, audit user accounts, disable unused ports, maintain offline data backups, and implement time-based access for accounts at the admin level or higher.

Similar to the Cuba ransomware group, a joint advisory was also released about Hive ransomware actors, another group that has specifically targeted the healthcare industry. In August 2021, Hive ransomware actors claimed multiple healthcare victims, including an attack on Memorial Health System that led to appointment cancellations, clinical disruptions, and EHR downtime.

Next Steps

Dig Deeper on Cybersecurity strategies