Analysis
Attacks and Vulnerabilities
Malware, Phishing & Ransomware
News
Risk & Compliance
System Design & Architecture
Technology & Solutions
Vulnerabilities

New malware variant of Cuba ransomware group uses different infection techniques

June 09, 2022
New malware variant of Cuba ransomware group uses different infection techniques

Trend Micro has observed a resurgence of the Cuba ransomware group in March and April this year that exploits a new malware variant, which optimizes updated infection techniques. 

While the updates to Cuba ransomware did not change much in terms of overall functionality, Trend Micro has ‘reason to believe that the updates aim to optimize its execution, minimize unintended system behavior, and provide technical support to the ransomware victims if they choose to negotiate.’ Moreover, further detections of new samples in May suggest that Cuba ransomware attacks will persist in the coming months, possibly with more updates to the malware that are par for the course.

“Our monitoring showed that the malware authors seem to be pushing some updates to the current binary of a new variant,” Don Ovid Ladores, a company researcher, wrote in a Trend Micro blog post. “The samples we examined in March and April used BUGHATCH, a custom downloader that the malicious actor did not employ in previous variants specifically for the staging phase of the infection routine. In late April we also noticed another variant of the ransomware, this time targeting two organizations based in Asia,” he added.

Seasonally detected, the Cuba ransomware is a malware family that was first observed in February 2020. Cuba ransomware’s activity reached a peak last year when it partnered with the Hancitor malware gang for initial access. The Federal Bureau of Investigation (FBI) warned last December about its resurfacing and reportedly attacked 49 organizations in five critical infrastructure sectors, amassing at least US$43.9 million in ransom payments.

Earlier this year, Mandiant determined that UNC2596, a hacker group that deploys COLDDRAW ransomware, has targeted dozens of organizations, including those within the critical infrastructure sector, across over ten countries. The COLDDRAW ransomware is also publicly known as Cuba ransomware.

Trend Micro’s analysis of the new variant revealed that the malicious actor added some processes and services to terminate ahead of encryption, including MySQL, MySQL80, SQLSERVERAGENT, outlook.exe, MSExchangeUMCR, MSExchangeUM, and SQLBrowser. Another apparent change that Trend Micro detected is the expansion of the ‘safelisted’ directories and file extensions that the Cuba ransomware will avoid encrypting. 

“We compared the new variant used in late April 2022 to the previous ones and found that the former did not have all the commands or functions that came with the latter,” Ladores said. “The malicious actors only retained two commands in the new one that are directory- or location-related phrases,” he added. 

Additionally, the wording of the ransom note used in the latest variant “is different from the previous one that the malicious actors used in the samples we analyzed in March this year, but the onion site indicated in both ransom notes is the same.” 

Trend Micro said that the ransom note used in late April 2022 explicitly states that they will publish exfiltrated data on their Tor site if the victims refuse to negotiate after three days – an apparent use of the double extortion technique. The ransomware gang did not clearly state the threat of publication of stolen data in the ransom note dropped in March 2022, it added.

Ladores also revealed that another new feature of the latest ransom note is the addition of quTox, a means for technical support to the ransomware victims to facilitate ransom payment negotiation. “We are still investigating the latest set of samples and have yet to establish the entire infection chain for the new Cuba ransomware variant. As mentioned, the indicators that were commonly seen in most of the recent infections were not present in the latest samples we saw,” he added.

Recent research released by Forescout Technologies’ Vedere Labs showed a new attack approach called Ransomware for IoT or R4IoT. The proof of concept covers next-generation ransomware that exploits IoT devices for initial access, targets IT devices to deploy ransomware and cryptominers, and leverages poor OT (operational technology) security practices to cause physical disruption to business operations. By compromising IoT, IT, and OT assets, R4IoT goes beyond the usual encryption and data exfiltration to cause physical disruption of business operations.

The Trend Micro data confirms the findings of the Zscaler ThreatLabz that identified, among other vectors, the latest ransomware trends including supply chain attacks, double extortion attacks, ransomware-as-a-service, geopolitical, and law enforcement attacks.

The ‘2022 State of Ransomware Report’ found that ransomware attacks increased by 80 percent year on year. Double extortion ransomware rose by 117 percent, indicating that more and more attacks include data theft in their strategies. Manufacturing was the most targeted industry for the second straight year, making up almost 20 percent of double extortion ransomware attacks. Like supply chain attacks, supply chain ransomware attacks are also on the rise.

Given the deteriorating threat landscape and the emergence of newer malware variants, organizations are increasingly forced to adopt a proactive cybersecurity stance to ensure that organizations are protected against modern ransomware threats. To defend systems against similar attacks, organizations can establish security frameworks that systematically allocate resources based on an enterprise’s needs.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
TXOne’s Portable Security Pro works towards improving security in ICS environments
TXOne Networks presents SageOne, its new CPS protection platform
Critical Start
Critical Start introduces managed detection and response services for OT environments
Shift5
Shift5 debuts GPS integrity module to combat GPS spoofing risks
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness