[CDP-development] CISA and FBI Release Cybersecurity Advisory on Cuba Ransomware - #StopRansomware

[Masse, Theresa]

FYSA



The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory<https://www.cisa.gov/uscert/ncas/alerts/aa22-335a> (CSA) with technical details associated with Cuba ransomware variants identified through FBI investigations as recently as August 2022. This CSA updates the December 2021 FBI Flash: Indicators of Compromise Associated with Cuba Ransomware<https://www.ic3.gov/Media/News/2021/211203-2.pdf>.



To gain initial access and compromise entities, Cuba actors historically leveraged known vulnerabilities in commercial software, use phishing campaigns, leverage compromised credentials, and legitimate remote desktop protocol (RDP) tools. Cuba ransomware actors continue to target United States entities in the Financial Services, Government Facilities, Healthcare and Public Health, Critical Manufacturing, and Information Technology sectors, as well as several entities outside of the U.S.



The impact on U.S. entities compromised by Cuba ransomware has doubled since the activity was reported in December 2021. In addition to deploying ransomware, Cuba actors have used "double extortion" techniques, in which they exfiltrate victim data, demand ransomware, and release data if a ransom payment is not made.



Additionally, since Spring 2022, third-party and open-source reporting have identified a possible link between Cuba ransomware actors, Industrial Spy ransomware actors, and RomCom remote access Trojan (RAT) actors. RomCom actors using a custom RAT have targeted foreign military organizations, information technology companies, and food brokers and manufacturers.



Actions organizations can take today to mitigate cyber threats from ransomware include prioritize remediating known exploited vulnerabilities (KEVs), train users to recognize and report phishing attempts, and enable and enforce phishing-resistant multifactor authentication (MFA).



CISA and FBI do not encourage paying ransom as payment does not guarantee victim files will be recovered and may also embolden adversaries to conduct more malicious activity. Organizations are urged to review the advisory and apply the recommended detections and mitigations. Regardless of whether payment is made or not, victims of ransomware should report the incident to their local FBI field office or CISA.



This joint CSA is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.


Theresa A. Masse
Cybersecurity State Coordinator/Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671
Email: theresa.masse at cisa.dhs.gov<mailto:theresa.masse at cisa.dhs.gov>

[cid:image001.png at 01D90570.17A5FB10]



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20221201/ad6d6b9e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 16152 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20221201/ad6d6b9e/attachment-0001.png>