{
	"id": "74a8e054-9d34-42ea-9cdd-1fab9ee93f8f",
	"created_at": "2026-04-06T00:13:09.827155Z",
	"updated_at": "2026-04-10T13:11:21.574076Z",
	"deleted_at": null,
	"sha1_hash": "4f701b65c4b24f6b370d837868cb0a93320886b3",
	"title": "Cuba Ransomware Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 993381,
	"plain_text": "Cuba Ransomware Analysis\r\nPublished: 2021-12-14 · Archived: 2026-04-05 21:37:52 UTC\r\nDue to the recent warning published by the FBI about Cuba ransomware (original FBI warning no longer\r\navailable online for unknown reasons), from Lab52 we decided to publish some information about this\r\nransomware family. Despite the fact that the ransomware has been named Cuba, there is no clear evidence linking\r\nthe country to the implementation or perpetration of this type of attacks.\r\nNonetheless, the geopolitical analysis has revealed a few details of strategic interest. Firstly, the fact that most of\r\nthe countries attacked, according to a McAfee report, correspond to those located in Latin America, North\r\nAmerica and Europe. Of these, the most targeted were: Spain, Colombia and Germany. However, when looking at\r\nthe possible link between the countries attacked and the sectors compromised, it has not been possible to identify a\r\nclear interest in the attack, since although Colombia is a US ally in Latin America and a NATO observer state, and\r\nSpain is a member of the European Union and NATO with a good geostrategic position, none of them stand out\r\namong the critical sectors that have been attacked.\r\nSecondly, it has also been observed that the profile of the countries attacked is common to apt groups that share\r\ncertain ideological lines, which may be contrary to those of the countries that have been targeted. However, this\r\nhas not yet allowed us to identify the link between this ransomware and any specific country or APT group.\r\nFor this post, we have analyzed a recent public sample, which has a compiler timestamp dated from August 23rd,\r\n2021:\r\n936119bc1811aeef01299a0150141787865a0dbe2667288f018ad24db5a7bc27\r\nIn this sample, we have observed some changes from the version described by McAfee in April 2021, which is the\r\nonly and most recent published analysis about this ransomware family.\r\nFirstly, the process retrieves the Input Locale identifiers (formerly called Keyboard Layout Handles)\r\ncorresponding to the current set of input languages in the infected system. In case of finding the Russian language\r\nidentifier (0x19) among the obtained list, the process terminates. Otherwise, it starts with its main activity.\r\nhttps://lab52.io/blog/cuba-ransomware-analysis/\r\nPage 1 of 10\n\nMain function of the Cuba Ransomware sample\r\nSince the program accepts one argument, the main activity will start by parsing the given argument, looking for\r\neither “network”, some IP address, “local” or a specific path to encrypt. Thus, the usage of this sample by an\r\noperator would be as follows:\r\ncuba.exe [ network | [IP_addr] | local | [specific_path] ]\r\nhttps://lab52.io/blog/cuba-ransomware-analysis/\r\nPage 2 of 10\n\nPrincipal function of Cuba Ransomware\r\nFlow diagram of the Cuba Ransomware sample\r\nhttps://lab52.io/blog/cuba-ransomware-analysis/\r\nPage 3 of 10\n\nAccording to this, we could distinguish between two network modes and two local modes. The network mode\r\ntriggered by the “network” argument will call the windows API GetIPNetTable in order to obtain the ARP table\r\nand call NetShareEnum using each IP as the serverName parameter for this second API call. In the case of\r\nspecifying an IP address, it will just enumerate the shares of that specific address.\r\nPseudocode of the “network” argument function calls\r\nThe default (no argument given) or “local” argument mode will enumerate the volumes by their Device IDs in the\r\nsystem. If a path is specified as the argument, the ransomware will only encrypt that specified path.\r\nhttps://lab52.io/blog/cuba-ransomware-analysis/\r\nPage 4 of 10\n\nPseudocode of the default “local” mode\r\nDepending on the case there will be between 2 and 4 threads encrypting the information, which will be created by\r\nthe same function, for which a different target will be given also depending on the initial argument.\r\nBefore starting the encryption there are two different cases where the binary will first terminate some harcoded\r\nprocesses or services. As shown in the elaborated flow diagram, this will happen only if no argument or “local” is\r\ngiven, or if the specified IP address is 127.0.0.1.\r\nhttps://lab52.io/blog/cuba-ransomware-analysis/\r\nPage 5 of 10\n\nElevation of privileges prior to termination of processes\r\nHardcoded services and processes names to terminate, along with the function calls to do so\r\nJust like the previous versions, this sample will use SeDebugPrivilege in order to obtain the necessary rights to\r\nterminate processes and services, in this sample they only added one new process to terminate: the Store Worker\r\nProcess (Microsoft.Exchange.Store.Worker.exe), responsible for executing RPC operations for mailboxes on a\r\ndatabase.\r\nUnlike the majority of ransomware families, two different instances of the same process could be executed at the\r\nsame time, which could cause interferences between each other. However, to avoid double cyphering, the\r\nRANSOMWARE still adds to the encrypted file a 240 bytes header, with nothing but the string “FIDEL.CA” and\r\nfour extra values in the consecutive words. Before encypting a file, the presence of this “file signature” will be\r\nchecked.\r\nhttps://lab52.io/blog/cuba-ransomware-analysis/\r\nPage 6 of 10\n\nEncrypted file header\r\nEncryption header check\r\nIn the version analyzed by McAfee, they found that their sample could take a different list of arguments such as\r\n/min, /max, /dm, /net, or /scan. However, the sample we analyzed only accepts one of the arguments described\r\nabove. This means that for this version THERE IS NO POSSIBILITY THAT the ransomware operator CAN\r\nspecify a maximum or minimunm file size to encrypt. Though, large files will only get encrypted their first MB\r\nfor EVERY 9MB.\r\nhttps://lab52.io/blog/cuba-ransomware-analysis/\r\nPage 7 of 10\n\nEnd of first Megabyte from encryption file\r\nBeginning of 9th Megabyte of encrypted file\r\nMost likely in order to avoid system failures, the ransomware will not encrypt files with extensions .exe, .dll, .sys,\r\n.ini, .lnk, .cuba, and it will ignore paths containing “\\windows\\”.\r\nhttps://lab52.io/blog/cuba-ransomware-analysis/\r\nPage 8 of 10\n\nCypher function checking files and routes to skip, with snippets of the called functions\r\nOnce the threads have finished the cyphering task, the function to delete itself from disk will be called,\r\nINDEPENDENTLY FROM the argument provided, unlike the McAfee sample, where they affirmed that this\r\nfunction would be called when giving the “/dm” argument. For this, the sample will call the Windows API\r\nCreateProcessW with “\\\\system32\\\\cmd.exe” as the ApplicationName and ” /c \\del [exe_path] \u003e\u003e NULL ” as\r\ncommand line arguments.\r\nThe complete list of stopped processes and services is shown in the following tables:\r\nMySQL MSExchangePOP3BE\r\nMySQL80 MSExchangePop3\r\nSQLSERVERAGENT MSExchangeNotificationsBroker\r\nMSSQLSERVER MSExchangeMailboxReplication\r\nSQLWriter MSExchangeMailboxAssistants\r\nSQLTELEMETRY MSExchangeIS\r\nMSDTC MSExchangeIMAP4BE\r\nSQLBrowser MSExchangeImap4\r\nvmcompute MSExchangeHMRecovery\r\nvmms MSExchangeHM\r\nMSExchangeUMCR MSExchangeFrontEndTransport\r\nMSExchangeUM MSExchangeFastSearch\r\nMSExchangeTransportLogSearch MSExchangeEdgeSync\r\nhttps://lab52.io/blog/cuba-ransomware-analysis/\r\nPage 9 of 10\n\nMSExchangeTransport MSExchangeDiagnostics\r\nMSExchangeThrottling MSExchangeDelivery\r\nMSExchangeSubmission MSExchangeDagMgmt\r\nMSExchangeServiceHost MSExchangeCompliance\r\nMSExchangeRPC MSExchangeAntispamUpdate\r\nMSExchangeRepl\r\nStopped services\r\nsqlagent.exe sqlbrowser.exe\r\nsqlservr.exe vmwp.exe\r\nsqlwriter.exe outlook.exe\r\nsqlceip.exe vmsp.exe\r\nmsdtc.exe Microsoft.Exchange.Store.Worker.exe\r\nTertminated processes\r\nSource: https://lab52.io/blog/cuba-ransomware-analysis/\r\nhttps://lab52.io/blog/cuba-ransomware-analysis/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://lab52.io/blog/cuba-ransomware-analysis/"
	],
	"report_names": [
		"cuba-ransomware-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434389,
	"ts_updated_at": 1775826681,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4f701b65c4b24f6b370d837868cb0a93320886b3.pdf",
		"text": "https://archive.orkl.eu/4f701b65c4b24f6b370d837868cb0a93320886b3.txt",
		"img": "https://archive.orkl.eu/4f701b65c4b24f6b370d837868cb0a93320886b3.jpg"
	}
}