COLDDRAW ransomware targets utility providers, government agencies, Mandiant says

Researchers from cybersecurity firm Mandiant determined that UNC2596, a hacker group that deploys COLDDRAW ransomware, has targeted dozens of organizations, including those within the critical infrastructure sector, across over ten countries. 

So far, victims of the COLDDRAW ransomware attacks have included utility providers, government agencies, and organizations that support nonprofits and healthcare entities, Mandiant researchers said in a company blog post on Wednesday. However, “we have not observed them attacking hospitals or entities that provide urgent care. Around 80% of impacted victim organizations are based in North America, but they have also impacted several countries in Europe as well as other regions,” they added. 

The COLDDRAW ransomware is also publicly known as Cuba ransomware and was initially flagged by the Federal Bureau of Investigation (FBI). In December, the agency said that the hacker group had compromised at least 49 entities in five critical infrastructure sectors, including financial, government, healthcare, manufacturing, and information technology industries. 

Mandiant has observed UNC2596 frequently leverage vulnerabilities affecting public-facing Microsoft Exchange infrastructure as an initial compromise vector in recent COLDDRAW intrusions, where the initial vector was identified. The researchers added that the hackers likely perform initial reconnaissance activities to determine Internet-facing systems that may be vulnerable to exploitation.

The researchers said that the hackers likely performed initial reconnaissance activities to identify Internet-facing systems that may be vulnerable to exploitation. The preliminary surveillance was carried out to determine active network hosts, which could be used as candidates for encryption and to identify files to exfiltrate for use in their multifaceted extortion scheme.

During COLDDRAW ransomware incidents, “UNC2596 actors have used several methods for lateral movement including RDP, SMB, and PsExec, frequently using BEACON to facilitate this movement,” the researchers detected. “Following lateral movement, the threat actors deploy various backdoors including the publicly available NetSupport RAT, as well as BEACON and BUGHATCH, which are often deployed using the TERMITE in-memory dropper. These backdoors are sometimes executed using PowerShell launchers and have in some cases used predictable filenames,” they added.

To complete their mission of multi-faceted extortion, the UNC2596 hackers attempt to steal relevant user files and then identify and encrypt networked machines, the Mandiant researchers said. “UNC2596 has also been observed exfiltrating data prior to encrypting victim systems. To date, we have not observed UNC2596 using any cloud storage providers for data exfiltration; rather, they prefer to exfiltrate data to their BEACON infrastructure. The threat actors then threaten to publish data of organizations that do not pay a ransom on their shaming site,” they added.

UNC2596 is currently the only threat actor tracked by Mandiant that uses COLDDRAW ransomware, suggesting that the group exclusively uses it. “This ransomware appends the .cuba file extension to encrypted files. When executed, it terminates services associated with common server applications and encrypts files on the local filesystem and attached network drives using an embedded RSA key. Encrypted files are rewritten with a COLDDRAW-generated header prior to the encrypted file contents. For large files, only the beginning and end of the file will be encrypted,” it added.

In COLDDRAW ransomware incidents, where initial access was gained through Microsoft Exchange vulnerabilities, UNC2596 subsequently deployed webshells to establish a foothold in the victim network, the researchers said. “Mandiant has also observed these actors deploy a variety of backdoors to establish a foothold, including the publicly available NetSupport RAT, as well as BEACON and BUGHATCH, which have been deployed using the TERMITE in-memory dropper,” they added.

COLDDRAW ransomware incidents have mainly involved using credentials from valid accounts to escalate privileges, Mandiant said. In some cases, the source of these credentials is unknown, while in other instances, UNC2596 leveraged credential theft tools such as Mimikatz and WICKER. “We have also observed these threat actors manipulating or creating Windows accounts and modifying file access permissions. In one intrusion, UNC2596 created a user account and added it to the administrator and RDP groups,” it added.

“Beyond commonplace tools, like Cobalt Strike BEACON and NetSupport, UNC2596 has used novel malware, including BURNTCIGAR to disable endpoint protection, WEDGECUT to enumerate active hosts, and the BUGHATCH custom downloader,” Mandiant said. “In incidents where COLDDRAW was deployed, UNC2596 used a multi-faceted extortion model where data is stolen and leaked on the group’s shaming website, in addition to encryption using COLDDRAW ransomware,” it added.

The Mandiant data comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned critical infrastructure installations of malicious hackers, using influence operations to shape public opinion, undermine trust, amplify division, and sow discord. The measure comes amid the escalating situation of Russia-Ukraine geopolitical tensions. The agency also issued a ‘Shields Up’ alert that notifies every organization in the country of potential risk from cyber threats that can disrupt essential services and potentially impact public safety. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.