FBI Warns about Cuba the Ransomware Gang


Thread author
Staff Member
Malware Hunter
Jul 27, 2015
The US government has issued an alert about Cuba; not the state but a ransomware gang that's taking millions in purloined profits.

The Cuba gang has hit more than 100 organizations worldwide, demanding over $145 million in payments and successfully extorting at least $60 million since August, according to a joint FBI and US Cybersecurity and Infrastructure Security Agency (CISA) advisory. According to the security alert: Note: While this ransomware is known by industry as "Cuba ransomware," there is no indication Cuba ransomware actors have any connection or affiliation with the Republic of Cuba.

The FBI first warned about the cybercrime gang in December 2021, and since then, the victim count in the US alone has doubled. In that the same time, the ransom payments received also jumped. Private security researchers have identified possible links between Cuba ransomware criminals and their RomCom remote access trojan (RAT) and Industrial Spy ransomware counterparts. The crooks continue to target five critical infrastructure sectors: financial services, government, healthcare and public health, critical manufacturing, and IT, according to the FBI.
As the bureau previously noted, Cuba ransomware miscreants tend to use known bugs in commercial software, phishing emails, compromised credentials, and remote desktop protocol tools to gain initial access to their victims' networks. Once they've broken in, they distribute Cuba ransomware on compromised systems via Hancitor, a loader that can drop or execute other software nasties including RATs.

Since the spring, the criminals have modified their tools to interact with compromised networks and extort payments, according to Palo Alto Networks Unit 42 threat hunters. The security shop's research and consulting arm also discovered the Cuba ransomware crooks exploiting certain known vulnerabilities and using legitimate tools to elevate privileges and burrow deeper into their victims' environments. This includes exploiting CVE-2022-24521 in the Windows Common Log File System (CLFS) driver to steal system tokens and elevate privileges, using a PowerShell script to target service accounts for their associated Active Directory Kerberos ticket and using KerberCache to extract cached Kerberos tickets from a host's Local Security Authority Server Service (LSASS) memory. They are also known to exploit CVE-2020-1472, aka "ZeroLogon," to gain domain administrative privileges.


Level 29
Top Poster
Sep 13, 2018
Less than two weeks ago, the United States Cybersecurity & Infrastructure Security Agency and FBI released a joint advisory about the threat of ransomware attacks from a gang that calls itself “Cuba.” The group, which researchers believe is, in fact, based in Russia, has been on a rampage over the past year targeting an increasing number of businesses and other institutions in the US and abroad. New research released today indicates that Cuba has been using pieces of malware in its attacks that were certified, or given a seal of approval, by Microsoft.


About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.