Cyber SecurityNews

Cuba ransomware

Luke Simmonds 1134 Views 0 Comments 1 min read

The FBI has observed Cuba ransomware actors continuing to target U.S. entities in the following five critical infrastructure sectors: Financial Services, Government Facilities, Healthcare and Public Health, Critical Manufacturing, and Information Technology. As of August 2022, FBI has identified that Cuba ransomware actors have:

  • Compromised 101 entities, 65 in the United States and 36 outside the United States.
  • Demanded 145 million U.S. Dollars (USD) and received 60 million USD in ransom payments.

Cuba ransomware actors have exploited known vulnerabilities and weaknesses and have used tools to elevate privileges on compromised systems. According to Palo Alto Networks Unit 42, Cuba ransomware actors have:

  • Exploited CVE-2022-24521 in the Windows Common Log File System (CLFS) driver to steal system tokens and elevate privileges.
  • Used a PowerShell script to identify and target service accounts for their associated Active Directory Kerberos ticket. The actors then collected and cracked the Kerberos tickets offline via Kerberoasting [T1558.003].
  • Used a tool, called KerberCache, to extract cached Kerberos tickets from a host’s Local Security Authority Server Service (LSASS) memory [T1003.001].
  • Used a tool to exploit CVE-2020-1472 (also known as “ZeroLogon”) to gain Domain Administrative privileges [T1068]. This tool and its intrusion attempts have been reportedly related to Hancitor and Qbot.

IP Addresses Associated with Cuba Ransomware, as of Late August 2022
Note: Some of these observed IP addresses are more than a year old. FBI and CISA recommend vetting or investigating these IP addresses prior to taking forward-looking action such as blocking.

193.23.244[.]244144.172.83[.]13216.45.55[.]30
94.103.9[.]79149.255.35[.]131217.79.43[.]148
192.137.101[.]46154.35.175[.]225222.252.53[.]33
92.222.172[.]39159.203.70[.]3923.227.198[.]246
92.222.172[.]172171.25.193[.]931.184.192[.]44
10.13.102[.]1185.153.199[.]16937.120.247[.]39
10.13.102[.]58192.137.100[.]9637.44.253[.]21
10.133.78[.]41192.137.100[.]9838.108.119[.]121
10.14.100[.]20192.137.101[.]20545.164.21[.]13
103.114.163[.]197193.34.167[.]1745.32.229[.]66
103.27.203[.]197194.109.206[.]21245.86.162[.]34
104.217.8[.]100195.54.160[.]14945.91.83[.]176
107.189.10[.]143199.58.81[.]14064.52.169[.]174
108.170.31[.]115204.13.164[.]11864.235.39[.]82
128.31.0[.]34209.76.253[.]8479.141.169[.]220
128.31.0[.]39212.192.241[.]23084.17.52[.]135
131.188.40[.]189213.32.39[.]4386.59.21[.]38
141.98.87[.]124216.45.55[.]3 

Cuba Bitcoin Wallets Receiving Payments, as of Late August 2022

bc1q4vr25xkth35qslenqwd7aw020w85qrvlrhv7hc
bc1q5uc0fdnz0ve5pg4nl4upa9ly586t6wmnghfe7x
bc1q6rsj3cn37dngypu5kad9gdw5ykhctpwhjvun3z
bc1q6zkemtyyrre2mkk23g93zyq98ygrygvx7z2q0t
bc1q9cj0n9k2m282x0nzj6lhqjvhkkd4h95sewek83
bc1qaselp9nhejc3safcq3vn5wautx6w33x0llk7dl
bc1qc48q628t93xwzljtvurpqhcvahvesadpwqtsza
bc1qgsuf5m9tgxuv4ylxcmx8eeqn3wmlmu7f49zkus
bc1qhpepeeh7hlz5jvrp50uhkz59lhakcfvme0w9qh
bc1qjep0vx2lap93455p7h29unruvr05cs242mrcah
bc1qr9l0gcl0nvmngap6ueyy5gqdwvm34kdmtevjyx
bc1qs3lv77udkap2enxv928x59yuact5df4t95rsqr
bc1qyd05q2m5qt3nwpd3gcqkyer0gspqx5p6evcf7h
bc1qzz7xweq8ee2j35tq6r5m687kctq9huskt50edv
bc1qvpk8ksl3my6kjezjss9p28cqj4dmpmmjx5yl3y
bc1qhtwfcysclc7pck2y3vmjtpzkaezhcm6perc99x
bc1qft3s53ur5uq5ru6sl3zyr247dpr55mnggwucd3
bc1qp7h9fszlqxjwyfhv0upparnsgx56x7v7wfx4x7
bc1q4vr25xkth35qslenqwd7aw020w85qrvlrhv7hc
bc1q5uc0fdnz0ve5pg4nl4upa9ly586t6wmnghfe7x
bc1q6rsj3cn37dngypu5kad9gdw5ykhctpwhjvun3z
bc1q6zkemtyyrre2mkk23g93zyq98ygrygvx7z2q0t
bc1q9cj0n9k2m282x0nzj6lhqjvhkkd4h95sewek83
bc1qaselp9nhejc3safcq3vn5wautx6w33x0llk7dl
bc1qc48q628t93xwzljtvurpqhcvahvesadpwqtsza
bc1qgsuf5m9tgxuv4ylxcmx8eeqn3wmlmu7f49zkus
bc1qhpepeeh7hlz5jvrp50uhkz59lhakcfvme0w9qh
bc1qjep0vx2lap93455p7h29unruvr05cs242mrcah
bc1qr9l0gcl0nvmngap6ueyy5gqdwvm34kdmtevjyx
bc1qs3lv77udkap2enxv928x59yuact5df4t95rsqr
bc1qyd05q2m5qt3nwpd3gcqkyer0gspqx5p6evcf7h
bc1qzz7xweq8ee2j35tq6r5m687kctq9huskt50edv

Trusted Third-Party Cuba Ransomware IOCs

IP AddressLast SeenDescription
31.184.194[.]4214.09.2022Backup storage
31.184.199[.]8214.09.2022Test-bed
104.217.8[.]10014.09.2022SystemBC Server
46.17.106[.]23014.09.2022RAT Server
62.210.54[.]23507.2022Proxy Server
185.153.199[.]162  
185.153.199[.]163  
185.153.199[.]164  
185.153.199[.]168  
209.127.187[.]245  
31.44.184[.]100  
31.44.184[.]84  
104.238.134[.]63  
170.39.212[.]69  
69.30.232[.]138  
31.184.198[.]111  
31.184.198[.]90  
31.184.198[.]86  
31.184.198[.]83  
31.184.198[.]85  
31.184.198[.]84  
31.184.198[.]82  
31.184.198[.]80  
31.184.198[.]74

Email
magikkey@cock[.]li
berkberk@cock[.]li
sonom@cock[.]li
filebase@cock[.]li
cloudkey@cock[.]li
frankstore@cock[.]li
waterstatus@cock[.]li
admin@cuba-supp[.]com
admin@encryption-support[.]com
cuba_support@exploit[.]im (Jabber)
URL
http://babbedidndu.ru/ls5/forum[.]php
http://fabickng.ru/7/forum[.]php
http://facabeand.com/sliva/gate[.]php
http://witorophron.com/ugr/gate[.]php
http://tycahatit.ru/ls5/gate[.]php
http://torsketronand.ru/ls5/gate[.]php
http://toftoflethens.com/ugr/gate[.]php
http://tinheranter.com/ls5/gate[.]php
http://thehentoftbet.ru/ls5/gate[.]php
http://tandugolastsp.com/ls6/gate[.]php
http://johntotrepwron.com/ls5/gate[.]php
http://leftthenhispar.ru/ls5/gate[.]php
http://nagirlstylast.com/ls6/gate[.]php
http://nastylgilast.com/ls6/gate[.]php
http://nastylgilast.com/ugr/gate[.]php
http://ningwitjohnno.ru/ls5/gate[.]php
http://otinrofha.ru/ls4/gate[.]php
http://reninparwil.com/ls5/gate[.]php

Luke Simmonds

Blogger at www.systemtek.co.uk

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.