New Cuba Ransomware Variant Involves Double-Extortion Scheme

Cuba Flag

What’s new in April Variant of Cuba Ransomware

The Cuba ransomware family has got itself a new specimen. The new version of Cuba revealed itself in late April 2022 and was involved in the attack on two companies in Asia. Although the alterations in comparison to previous versions cannot be called crucial, some of them are worth mentioning.

The malware gets injected via the BUGHATCH downloader, which works in connection with its command and control center. The latter sends code (PowerShell scripts and portable executables to be run on the attacked computer. The downloader itself gets onto the compromised device via a link to a PowerShell script or a dropper Trojan, also written in Power Shell.
April Cuba variant has undergone some changes in terms of commands. Thus, “local” and “network” are the only two remaining commands that relate to directories and locations.

The list of services and processes that ransomware terminates upon arrival has been somewhat extended and now comprises 47 items, mostly ensuring Microsoft Exchange and SQL-related services are cut-off.
The exclusion list of folders for the malware not to harm is also extended to 16 directories with the Google folder protected alongside expected Windows and Program Files ones. The extensions safe-listed from encryption are: .exe, .dll, .sys, .ini, .lnk, .vbm, and, understandably, .cuba.

Two-level extortion

The new Cuba is very caring when it eventually comes to racketeering. This time it’s a double-extortion scheme. If the victim does not contact the criminals in three days, the hackers threaten to expose the extracted data from the targeted machine.

Cuba Ransomware Ransom Note
This Cuba ransom note clearly states that the threat of victim’s data exposure.

Such threats are not bluff, unfortunately. It happened before to CD Project game development company as unfinished materials of Cyberpunk 2077 game were published on the web as a result of a double-layer ransomware attack in February 2021.

Malefactors also give thorough facilitation to those ready to cooperate. To make communication easier they have a quTox account.

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

View all of Stephanie Adlam's posts.

Leave a comment

Your email address will not be published.