Today, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI published a joint Cybersecurity Advisory (CSA) #StopRansomware: Cuba Ransomware to provide network defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Cuba ransomware threat actors.

Since the December 2021 release of FBI Flash: Indicators of Compromise Associated with Cuba Ransomware, the FBI has observed Cuba ransomware actors continuing to target U.S. entities in multiple critical infrastructure sectors. In fact, since last December, the number of U.S. organizations compromised by Cuba ransomware has doubled, with ransoms demanded and paid on the increase. Additionally, Cuba threat actors employ several techniques to gain initial access, including exploiting known vulnerabilities, phishing campaigns, using compromised credentials, and employing legitimate remote desktop protocol (RDP) tools.

CISA and the FBI encourage network defenders to review the CSA and apply the included mitigations. See StopRansomware.gov for additional guidance on ransomware protection, detection, and response. To report suspicious or criminal activity related to information found in advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at CyWatch@fbi.gov. If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov. Access the full advisory at CISA.