FBI FLASH: Indicators of Compromise Associated with Cuba Ransomware

The FBI has published a TLP:WHITE FLASH providing indicators of compromise associated with Cuba ransomware. The FLASH indicates that Cuba ransomware threat actors, since early November 2021, have compromised more than 49 entities in five critical infrastructure sectors, including but not limited to the financial, government, healthcare, manufacturing, and information technology. Cuba ransomware’s typical attack pattern begins with the distribution of the Hancitor malware. Then “Hancitor malware actors use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim’s network,” according to the FBI. After that, Cuba ransomware actors use legitimate Windows services and then leverage Windows Admin privileges to execute their ransomware remotely. The FLASH includes further technical details regarding this activity and lists recommended mitigations. It also encourages partners to report suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 CyberWatch (CyWatch) at (855)292-3937 or Cy*****@*bi.gov.