FBI warning: This ransomware gang has hit over 100 targets and made more than $60 million

A prolific ransomware gang has hit over 100 organizations around the world and claimed over $60 million in ransom payments, a security warning from CISA and the FBI has warned. 

The newly-released joint cybersecurity advisory warns there's been a sharp increase in both the number of organizations targeted by the Cuba ransomware group and the ransom amounts being demanded. 

According to the alert, Cuba ransomware attacks are targeting critical infrastructure, financial services, healthcare, information technology, government services and more. The alert notes that despite the name, the ransomware gang doesn't have any connection to the country of Cuba.

As of August 2022 – the most recent date for which information has been made available – the FBI warns that the ransomware attackers have compromised over 100 victims around the world and have demanded over $145 million in ransom payments, receiving $60 million in extortion demands. 

The group engages in double extortion attacks, not only encrypting data and demanding a ransom, but also making threats to release data stolen from the victim if a ransom – demanded in Bitcoin – isn't paid. 

CISA and the FBI's joint advisory follows a previous warning about Cuba ransomware in December 2021. The new alert has been issued because of the rise in number of attacks and because the cyber criminals have expanded their techniques to make attacks more difficult to detect and thus more effective. 

Also: Cybersecurity: These are the new things to worry about in 2023

These methods include exploiting a vulnerability in Windows Common Log File System (CLFS) driver (CVE-2022-24521) to steal system tokens and elevate privileges, along with using a PowerShell script to identify service accounts to gain greater access to high-level system controls. 

Cuba ransomware attacks have also been seen exploiting Zerologon, a vulnerability in Microsoft Windows authentication protocol Netlogon (CVE-2020-1472) to gain domain administrative privileges. Zerologon was discovered in September 2020 and was cited as an "unacceptable risk" at the time - but over two years on, attackers are still able to exploit it. 

As detailed in the previous alert, methods Cuba ransomware uses to gain initial access to victims include exploiting known vulnerabilities in commercial software, phishing campaigns, abusing stolen usernames and passwords and exploiting legitimate remote desktop protocol (RDP) applications. 

After gaining access, the cyber criminals deploy Hancitor, a malware payload which allows them to easily regain access to and carry out activities on compromised networks – and which is ultimately used to drop and execute the ransomware payload. 

The FBI and CISA make several recommendations to network defenders about cybersecurity mitigations which should be made in order to prevent attackers from being able to use common techniques to enter the network and deploy ransomware. 

Key among these recommendations is keeping all operating systems, software and firmware up to date with the latest security updates – particularly if it's known that cyber criminals are actively targeting vulnerabilities like CVE-2022-24521 and CVE-2020-1472. 

"Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats," said the security advisory. 

Also: We are still failing to learn the most important lesson in cybersecurity. That needs to change, fast

Other recommendations include requiring all accounts to be secured with a strong, unique password and to ensure that, if possible, all accounts – particularly those for cloud services – are secured with multi-factor authentication. This can do a lot to stop cyber criminals hacking accounts. 

It's also recommended that organizations have procedures in place to identify, detect, and investigate abnormal activity on the network, something which could be an indicator that the network has been breached and a ransomware attack could be on the way – and action should be taken to prevent it. 

Organizations should also have a recovery plan in place, ensuring that multiple copies of key systems and servers are in place, kept up to date and stored offline, so if the worst happens and a ransomware attack is successful, the network can be restored without paying a ransom. 

This is because there's no guarantee that paying a ransom will restore the network – and giving into extortion demands will only further embolden cyber criminals, who could return with further attacks and further ransom demands. 

"FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities," said the alert – which also urges victims of ransomware attacks to report incidents. 

MORE ON CYBERSECURITY

• Ransomware: Not enough victims are reporting attacks, and that's a problem for everyone
• The ransomware problem won't get better until we change one thing
• The real cost of ransomware is even bigger than we realised
• Police tricked a ransomware gang into handing over its decryption keys. Here's how they did it
• This company didn't spot the flaw in their network. But three ransomware gangs did