The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint cybersecurity advisory about Cuba Ransomware and have shared details of the tactics, techniques, and procedures (TTPs) used by the group, along with Indicators of Compromise (IoCs) to help network defenders improve their defenses against attacks and rapidly detect computer intrusions. The Health Sector Cybersecurity Coordination Center says the group poses a significant threat to the healthcare and public health sector.
The Cuba ransomware group has increased attacks in the United States, with attacks doubling since December 2021, and ransom payments are also on the rise. Globally, more than 100 organizations have been targeted by the gang and more than $145 million in ransom demands have been issued, with the group known to have received at least $60 million in ransom payments. The group targets critical infrastructure organizations, with at least 65 critical infrastructure entities known to have been attacked in the United States, including those in healthcare and public health, government facilities, financial services, critical manufacturing, and information technology.
According to CISA and the FBI, there are similarities between the infrastructure used by the Cuba ransomware operation and the RomCom RAT and Industrial Spy ransomware actors. The group uses RomCom for command and control of the ransomware and sells stolen data through the online market used by the Industrial Spy actors if victims refuse to pay the ransom. In one attack, The Cuba ransomware gang deployed the RomCom RAT on the network of a healthcare company, suggesting strong links between these three groups. The group is also known to use a dropper that was signed using the same certificate that was found in the LAPSUS NVIDIA data leak.
The Cuba ransomware group uses a variety of methods to gain initial access to victims’ networks, including exploiting vulnerabilities in unpatched commercial software – including CVE-2022-24521 (Windows Common Log File System), CVE-2020-1472 (ZeroLogon), phishing, compromised credentials, and remote desktop protocol (RDP) tools. Once access is gained, the ransomware is distributed using a loader called Hancitor, which is also used for dropping information stealers RATs, and other malicious payloads. Before encrypting files, the group exfiltrates data to pressure victims into paying the ransom demands.
CISA and the FBI previously issued a security advisory about the group in December 2021; however, the group has modified its TTPs, which have been included in the latest security alert along with IoCs, MITRE ATT&CK techniques, and recommended mitigations.
The post Healthcare Sector Warned About Cuba Ransomware Attacks appeared first on HIPAA Journal.