[ad_1]
Cuba Ransomware Group’s New Variant Discovered Utilizing Optimized An infection Strategies
Pattern Micro Analysis noticed the resurgence of the Cuba ransomware group that launched a brand new malware variant utilizing completely different an infection methods in comparison with previous iterations. We focus on our preliminary findings on this report.
By: Don Ovid Ladores
June 08, 2022
Learn time: ( phrases)
Cuba ransomware is a malware household that has been seasonally detected because it was first noticed in February 2020. It resurfaced in November 2021 based mostly on the FBI’s official discover, and has reportedly attacked 49 organizations in 5 vital infrastructure sectors, amassing not less than US$ 43.9 million in ransom funds.
We noticed Cuba ransomware’s resurgence in March and April this yr. Our monitoring confirmed that the malware authors appear to be pushing some updates to the present binary of a brand new variant. The samples we examined in March and April used BUGHATCH, a customized downloader that the malicious actor didn’t make use of in earlier variants particularly for the staging part of the an infection routine.
In late April we additionally seen one other variant of the ransomware, this time concentrating on two organizations based mostly in Asia. This weblog entry focuses on our evaluation of the newest samples uncovered from this era.
Whereas the updates to Cuba ransomware didn’t change a lot when it comes to general performance, we have now motive to consider that the updates intention to optimize its execution, reduce unintended system habits, and supply technical help to the ransomware victims in the event that they select to barter.
Our evaluation of the brand new variant revealed that the malicious actor added some processes and providers to terminate the next:
MySQL
MySQL80
SQLSERVERAGENT
MSSQLSERVER
SQLWriter
SQLTELEMETRY
MSDTC
SQLBrowser
sqlagent.exe
sqlservr.exe
sqlwriter.exe
sqlceip.exe
msdtc.exe
sqlbrowser.exe
vmcompute
vmms
vmwp.exe
vmsp.exe
outlook.exe
MSExchangeUMCR
MSExchangeUM
MSExchangeTransportLogSearch
MSExchangeTransport
MSExchangeThrottling
MSExchangeSubmission
MSExchangeServiceHost
MSExchangeRPC
MSExchangeRepl
MSExchangePOP3BE
MSExchangePop3
MSExchangeNotificationsBroker
MSExchangeMailboxReplication
MSExchangeMailboxAssistants
MSExchangeIS
MSExchangeIMAP4BE
MSExchangeImap4
MSExchangeHMRecovery
MSExchangeHM
MSExchangeFrontEndTransport
MSExchangeFastSearch
MSExchangeEdgeSync
MSExchangeDiagnostics
MSExchangeDelivery
MSExchangeDagMgmt
MSExchangeCompliance
MSExchangeAntispamUpdate
Microsoft.Alternate.Retailer.Employee.exe
Determine 1. Screenshot of the record of processes and providers that the Cuba ransomware seeks to terminate
One other obvious change is the growth of the safelisted directories and file extensions that it’ll keep away from encrypting:
Listing Safelist:
home windows
program filesmicrosoft workplace
program recordsdata (x86)microsoft workplace
program filesavs
program recordsdata (x86)avs
$recycle.bin
boot
restoration
system quantity data
msocache
usersall customers
usersdefault consumer
usersdefault
temp
inetcache
google
Extension Safelist:
.exe
.dll
.sys
.ini
.lnk
.vbm
.cuba
Determine 2. Array of directories it excludes from encryption
We in contrast the brand new variant utilized in late April 2022 to the earlier ones and located that the previous didn’t have all of the instructions or features that got here with the latter. The malicious actors solely retained two instructions within the new one which are directory- or location-related phrases. These are as follows:
Notably, the wording of the ransom word used within the newest variant (see Determine 4) is completely different from the earlier one which the malicious actors used within the samples we analyzed in March this yr, however the onion web site indicated in each ransom notes is identical. The ransom word utilized in late April 2022 explicitly states that they’ll publish exfiltrated knowledge on their Tor web site if the victims refuse to barter after three days, an obvious use of the double extortion approach. The ransomware gang didn’t clearly state the specter of publication of stolen knowledge within the ransom word dropped in March 2022 (see Determine 3).
Determine 3. Cuba ransomware’s ransom word retrieved from samples that we analyzed in March 2022
One other new characteristic of the newest ransom word is the addition of quTox, a way for technical help to the ransomware victims to facilitate ransom cost negotiation.
Determine 4. Cuba ransomware’s ransom word retrieved from samples analyzed in late April 2022, with point out of quTox as technical help to facilitate ransom cost negotiations
We’re nonetheless investigating the newest set of samples and have but to determine your complete an infection chain for the brand new Cuba ransomware variant. As talked about, the indications that have been generally seen in a lot of the latest infections weren’t current within the newest samples we noticed. Furthermore, our detections of recent samples in Might recommend that Cuba ransomware’s assaults will persist within the coming months, presumably with extra updates to the malware which are par for the course.
Suggestions
As new malware variants emerge, a proactive cybersecurity stance is vital to make sure that organizations are protected towards fashionable ransomware threats. To defend programs towards comparable assaults, organizations can set up safety frameworks that systematically allocate assets based mostly on an enterprise’s wants.
Contemplate following the safety frameworks established by the Heart of Web Safety and the Nationwide Institute of Requirements and Expertise when growing your personal cybersecurity methods. The frameworks they created assist safety groups to mitigate dangers and reduce publicity to threats. Implementing the perfect practices mentioned of their respective frameworks can save organizations the effort and time once they customise their very own. Their frameworks information organizations by way of the entire technique of planning whereas offering solutions on measures that have to be established first.
Indicators of Compromise (IOCs)
SHA256
Pattern Micro Detection
89288de628b402621007c7ebb289233e7568307fb12a33aac7e834504c17b4af
Ransom.Win32.BACUCRYPT.YPCD2T
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
[ad_2]