Damian Sendler: Some 49 enterprises across five vital infrastructure sectors, including health care, have been infected by ransomware from Cuba. At least $74 million in ransom has been requested and received by Cuban ransomware operators. 

A loader known as Hancitor is used to spread Cuban ransomware, which has been active since November 2021 and may be used to disseminate Remote Access Trojans (RATs) and other ransomware. 

Damian Sendler

In a short amount of time, Cuban ransomware operators have targeted institutions in the healthcare, government, banking, manufacturing, and information technology sectors with ransomware assaults. 

Damian Jacob Sendler: It is common for Hancitor malware actors to leverage Microsoft Exchange vulnerabilities, compromised credentials, phishing emails or legitimate Remote Desktop Protocol (RDP) tools in their attacks. In order to carry out their ransomware operations remotely, the Cuba ransomware actors make advantage of Windows services like PowerShell and PsExec. 

A Cobalt Strike beacon is installed and activated on the victim’s network by Cuban ransomware perpetrators once they have gained access to the network. Health Sector Cybersecurity Coordination Center (HC3) has issued a brief warning to the healthcare sector about the potential of Cobalt Strike, a remote access tool initially developed to protect against cyberattacks. HC3. 

MimiKatz virus is also used by ransomware actors to steal credentials and use RDP to log into the attacked network host. 

Flash notice underlined that the FBI cautions against paying ransoms since it cannot guarantee the recovery of any files. 

In addition, “it may also encourage adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.” 

As a result, the FBI recognizes that when victims are unable to function, all alternatives are considered to safeguard shareholders, employees and customers..” 

It has been suggested by the FBI that password-protected accounts have unique, strong passwords. As a further precaution, enterprises should mandate multi-factor authentication, keep all operating systems current, reduce unneeded administrative access, and utilize a host-based firewall. 

Damian Jacob Markiewicz Sendler: The FBI recommends that enterprises install network segmentation and time-based access for accounts at the administrator level and above in order to prevent Cuban ransomware actors from learning the organization’s enterprise environment through system visibility and mapping. 

Damian Jacob Sendler

Additionally, ransomware victims should employ a network monitoring tool to help detect and examine suspicious activities. In addition, enterprises must verify that all backup data is securely secured, and command-line and scripting activities and permissions are disabled. 

Damien Sendler: FBI, CISA, and international agencies issued an advice in November warning healthcare and transportation industries about an Iranian government-sponsored advanced persistent threat (APT) group. 

The organization has been using Microsoft Exchange vulnerabilities to conduct sophisticated ransomware operations, similar to Cuban ransomware.

Dr. Damian Jacob Sendler and his media team provided the content for this article.