Cuba ransomware returns to extorting victims with updated encryptor


Level 64
Thread author
Honorary Member
Top poster
Content Creator
Apr 24, 2016
The Cuba ransomware operation has returned to regular operations with a new version of its malware found used in recent attacks.

Cuba ransomware's activity reached a peak in 2021 when it partnered with the Hancitor malware gang for initial access. By the end of the year, it had breached 49 critical infrastructure organizations in the United States.

This year started less impressive for the ransomware gang, with few new victims. However, Mandiant spotted signs of tactical changes and experimentation that indicated the group is still active.

Now, Trend Micro analysts report seeing a resurgence in Cuba infections, starting in March and continuing strong until April 2022.

Cuba has listed three victims in April and one in May on its Tor site. However, the attacks that resulted in the publication of these files likely unfolded earlier.

While these aren't impressive figures compared to other ransomware operations, "Cuba" is generally more selective, hitting only large organizations.