Scribd Logo
Upload

Welcome to Scribd!

  • Cuba Ransomware

    Uploaded by

    Viren Choudhari
    9 views2 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    9 views2 pages

    Cuba Ransomware

    Uploaded by

    Viren Choudhari

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    Threat Name

    Description of Threat

    Recommended Actions

    References

    Indicators
    File Hash MD5
    File Hash MD5
    File Hash MD5

    # Sensitivity: Internal Restricted


    Cuba Ransomware

    [Operational]
    Cuba ransomware encrypts files on a system using cryptographic algorithms. This ransomware not only encrypts
    the files, but also steals the information from the system and threatens the user to pay the ransom.
    Most ransomware campaigns typically spread via Exploit Kits and Malspam campaigns instrumented via various
    botnets. However, Ransomware is suspected to be distributed using highly targeted attacks such as brute forcing
    of RDP connections on unprotected systems in an organization’s network. Once the attackers have access to the
    organization’s network, Ransomware may be deployed to business-critical systems to cause maximum disruption
    of services and in-turn warrant a considerable ransom. Cuba ransomware spread by Spam email campaigns.
    Ransom-Cuba uses RSA-2048 encryption to encrypt the files. The file extension added to encrypted files is .cuba
    This Ransomware starts to enumerate the directories and files to encrypt. Once all the files in a folder are
    encrypted, a ransomware note is dropped on the system with all the instructions to pay the ransom in order to
    get the decryption key/tool. This ransomware drops a Ransom Note “!!FAQ for Decryption!!.txt” in every
    encrypted folder. The image below shows the contents of the Ransom Note.

    ATT&CK IDS:
    T1190 - Exploit Public-Facing Applications
    T1059.001 - PowerShell Script
    T1566.001 - Spear Phishing Attachments
    T1222: File and Directory Permissions Modification
    1. Update the anti-virus software and ensure the antivirus vendor has coverage to ensure detection and
    remediation for this kind of malware campaign
    2. Ensure a watch list is created to search for existing signs of the indicated IOCs in your environment and email
    systems
    3. Block all the URL(s) and IP(s) based IOCs at the firewall, IDS/IPS, web gateways, routers or other perimeter
    devices
    4. Keep all the systems (irrespective if criticality) updated with latest patches

    https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/94000/KB94085/en_US/McAfee_

    577d6fa8fc52dd0e14860da7b85f9273
    f11c4aa825dcb2c4c02c5cdc03c5e9bf
    434ba47f7e98ee2dc0c237aca5f54f1a

    # Sensitivity: Internal Restricted

    You might also like