{ "id": "9744ecbb-d00b-4d06-8bf4-5554067b93aa", "created_at": "2026-04-06T00:09:36.718014Z", "updated_at": "2026-04-10T13:11:39.810795Z", "deleted_at": null, "sha1_hash": "56b1bd2a88c747419e309e5194cf9dcee1325b19", "title": "From Caribbean shores to your devices: analyzing Cuba ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 8578182, "plain_text": "From Caribbean shores to your devices: analyzing Cuba\r\nransomware\r\nBy Alexander Kirichenko\r\nPublished: 2023-09-11 · Archived: 2026-04-05 16:45:02 UTC\r\nIntroduction\r\nKnowledge is our best weapon in the fight against cybercrime. An understanding of how various gangs operate\r\nand what tools they use helps build competent defenses and investigate incidents. This report takes a close look at\r\nthe history of the Cuba group, and their attack tactics, techniques and procedures. We hope this article will help\r\nyou to stay one step ahead of threats like this one.\r\nCuba ransomware gang\r\nCuba data leak site\r\nThe group’s offensives first got on our radar in late 2020. Back then, the cybercriminals had not yet adopted the\r\nmoniker “Cuba”; they were known as “Tropical Scorpius”.\r\nCuba mostly targets organizations in the United States, Canada and Europe. The gang has scored a series of\r\nresonant attacks on oil companies, financial services, government agencies and healthcare providers.\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 1 of 26\n\nAs with most cyberextortionists lately, the Cuba gang encrypts victims’ files and demands a ransom in exchange\r\nfor a decryption key. The gang infamously uses complex tactics and techniques to penetrate victim networks, such\r\nas exploitation of software vulnerabilities and social engineering. They have been known to use compromised\r\nremote desktop (RDP) connections for initial access.\r\nThe Cuba gang’s exact origins and the identities of its members are unknown, although some researchers believe\r\nit might be a successor to another ill-famed extortion gang, Babuk. The Cuba group, like many others of its kind,\r\nis a ransomware-as-a-service (RaaS) outfit, letting its partners use the ransomware and associated infrastructure in\r\nexchange for a share of any ransom they collect.\r\nThe group has changed names several times since its inception. We are currently aware of the following aliases it\r\nhas used:\r\nColdDraw\r\nTropical Scorpius\r\nFidel\r\nCuba\r\nThis past February, we came across another name for the gang — “V Is Vendetta”, which deviated from the\r\nhackers’ favorite Cuban theme. This might have been a moniker used by a sub-group or affiliate.\r\nThere is an obvious connection with the Cuba gang: the newly discovered group’s website is hosted in the Cuba\r\ndomain:\r\nhttp[:]//test[.]cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd[.]onion/\r\nWebsite of V IS VENDETTA\r\nCuba remains active as at the time of writing this, and we keep hearing about new extortion victims.\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 2 of 26\n\nVictimology\r\nIn this section, we used data consensually provided by our users and information about victims from open sources,\r\nsuch as other security vendors’ reports and the data leak site of the ransomware gang itself.\r\nThe group has attacked numerous companies around the world. Industry affiliation does not seem to be a factor:\r\nvictims have included retailers, financial and logistical services, government agencies, manufacturers, and others.\r\nIn terms of geography, most of the attacked companies have been located in the United States, but there have been\r\nvictims in Canada, Europe, Asia and Australia.\r\nGeographic distribution of Cuba victims\r\nRansomware\r\nThe Cuba ransomware is a single file without additional libraries. Samples often have a forged compilation\r\ntimestamp: those found in 2020 were stamped with June 4, 2020, and more recent ones, June 19th, 1992.\r\nCuba extortion model\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 3 of 26\n\nExtortion models\r\nFour extortion models exist today in terms of tools used for pressuring the victim.\r\nSingle extortion: encrypting data and demanding a ransom just for decryption.\r\nDouble extortion: besides encrypting, attackers steal sensitive information. They threaten to both withhold\r\nthe encryption key and publish the stolen information online unless the victim pays up. This is the most\r\npopular model among ransomware gangs today.\r\nTriple extortion: adding a threat to expose the victim’s internal infrastructure to DDoS attacks. The model\r\nbecame widespread after the LockBit gang got DDoS’ed, possibly by a victim. After getting targeted, the\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 4 of 26\n\nhackers realized that DDoS was an effective pressure tool, something they stated openly, setting an\r\nexample for others. To be fair, isolated cases of triple extortion predate the LockBit case.\r\nThe fourth model is the least common one, as it implies maximum pressure and is thus more costly. It adds\r\nspreading news of the breach among the victim’s investors, shareholders and customers. DDoS attacks in\r\nthat case are not necessary. This model is exemplified by the recent hack of Bluefield University in\r\nVirginia, where the AvosLocker ransomware gang hijacked the school’s emergency broadcast system to\r\nsend students and staff SMS texts and email alerts that their personal data had been stolen. The hackers\r\nurged not to trust the school’s management, who they said were concealing the true scale of the breach, and\r\nto make the situation public knowledge as soon as possible.\r\nThe Cuba group is using the classic double extortion model, encrypting data with the Xsalsa20 symmetric\r\nalgorithm, and the encryption key, with the RSA-2048 asymmetric algorithm. This is known as hybrid encryption,\r\na cryptographically secure method that prevents decryption without the key.\r\nCuba ransomware samples avoid encrypting files with the following name extensions: .exe, .dll, .sys, .ini, .lnk,\r\n.vbm and .cuba, and the following folders:\r\n\\windows\\\r\n\\program files\\microsoft office\\\r\n\\program files (x86)\\microsoft office\\\r\n\\program files\\avs\\\r\n\\program files (x86)\\avs\\\r\n\\$recycle.bin\\\r\n\\boot\\\r\n\\recovery\\\r\n\\system volume information\\\r\n\\msocache\\\r\n\\users\\all users\\\r\n\\users\\default user\\\r\n\\users\\default\\\r\n\\temp\\\r\n\\inetcache\\\r\n\\google\\\r\nThe ransomware saves time by searching for, and encrypting, Microsoft Office documents, images, archives and\r\nothers in the %AppData%\\Microsoft\\Windows\\Recent\\ directory, rather than all files on the device. It also\r\nterminates all SQL services to encrypt any available databases. It looks for data both locally and inside network\r\nshares.\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 5 of 26\n\nList of services that the Cuba ransomware terminates\r\nBesides encrypting, the group steals sensitive data that it discovers inside the victim’s organization. The type of\r\ndata that the hackers are after depends on the industry that the target company is active in, but in most cases, they\r\nexfiltrate the following:\r\nFinancial documents\r\nBank statements\r\nCompany accounts details\r\nSource code, if the company is a software developer\r\nArsenal\r\nThe group employs both well-known, “classic” credential access tools, such as mimikatz, and self-written\r\napplications. It exploits vulnerabilities in software used by the victim companies: mostly known issues, such as\r\nthe combination of ProxyShell and ProxyLogon for attacking Exchange servers, and security holes in the Veeam\r\ndata backup and recovery service.\r\nMalware\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 6 of 26\n\nBughatch\r\nBurntcigar\r\nCobeacon\r\nHancitor (Chanitor)\r\nTermite\r\nSystemBC\r\nVeeamp\r\nWedgecut\r\nRomCOM RAT\r\nTools\r\nMimikatz\r\nPowerShell\r\nPsExec\r\nRemote Desktop Protocol\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 7 of 26\n\nVulnerabilities\r\nProxyShell:\r\nCVE-2021-31207\r\nCVE-2021-34473\r\nCVE-2021-34523\r\nProxyLogon:\r\nCVE-2021-26855\r\nCVE-2021-26857\r\nCVE-2021-26858\r\nCVE-2021-27065\r\nVeeam vulnerabilities:\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 8 of 26\n\nCVE-2022-26501\r\nCVE-2022-26504\r\nCVE-2022-26500\r\nZeroLogon:\r\nCVE-2020-1472\r\nMapping of the attack arsenal to MITRE ATT\u0026CK® tactics\r\nProfits\r\nThe incoming and outgoing payments in the bitcoin wallets whose identifiers the hackers provide in their ransom\r\nnotes exceed a total of 3,600 BTC, or more than $103,000,000 converted at the rate of $28,624 for 1 BTC. The\r\ngang owns numerous wallets, constantly transferring funds between these, and uses bitcoin mixers: services that\r\nsend bitcoins through a series of anonymous transactions to make the origin of the funds harder to trace.\r\nPart of the transaction tree in the BTC network\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 9 of 26\n\nHost: SRV_STORAGE\r\nOn December 19, we spotted suspicious activity on a customer host, which we will refer to as “SRV_STORAGE”\r\nin this report. Telemetry data showed three suspicious new files:\r\nSuspicious events in the telemetry data as discovered by the Kaspersky SOC\r\nAn analysis of kk65.bat suggested that it served as a stager that initiated all further activity by starting rundll32\r\nand loading the komar65 library into it, which runs the callback function DLLGetClassObjectGuid.\r\nContents of the .bat file that we found\r\nLet us take a look inside the suspicious DLL.\r\nBughatch\r\nThe komar65.dll library is also known as “Bughatch”, a name it was given in a report by Mandiant.\r\nThe first thing that caught our attention was the path to the PDB file. There’s a folder named “mosquito” in it,\r\nwhich translates into Russian as “komar”. The latter is a part of the DDL name suggesting the gang may include\r\nRussian speakers.\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 10 of 26\n\nPath to the komar65.dll PDB file\r\nThe DLL code presents Mozilla/4.0 as the user agent when connecting to the following two addresses:\r\ncom, apparently used for checking external connectivity\r\nThe gang’s command-and-control center. The malware will try calling home if the initial ping goes\r\nthrough.\r\nAnalysis of komar65.dll\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 11 of 26\n\nThis is the kind of activity we observed on the infected host. After Bughatch successfully established a connection\r\nwith the C2 server, it began collecting data on network resources.\r\nBughatch activity\r\nLooking into the C2 servers, we found that in addition to Bughatch, these spread modules that extend the\r\nmalware’s functionality. One of those collects information from the infected system and sends it back to the server\r\nin the form of an HTTP POST request.\r\nFiles we found on the Cuba C2 servers\r\nOne could think of Bughatch as a backdoor of sorts, deployed inside the process memory and executing a\r\nshellcode block within the space it was allocated with the help of Windows APIs (VirtualAlloc, CreateThread,\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 12 of 26\n\nWaitForSingleObject), to then connect to the C2 and await further instructions. In particular, the C2 may send a\r\ncommand to download further malware, such as Cobalt Strike Beacon, Metasploit, or further Bughatch modules.\r\nBughatch operating diagram\r\nSRV_Service host\r\nVeeamp\r\nAfter some time, we found a malicious process started on a neighboring host; we dubbed this “SRV_Service”:\r\nMalicious process starting\r\nVeeamp.exe is a custom-built data dumper written in C#, which leverages security flaws in the Veeam backup and\r\nrecovery service to connect to the VeeamBackup SQL database and grab account credentials.\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 13 of 26\n\nAnalysis of Veeamp\r\nVeeamp exploits the following Veeam vulnerabilities: CVE-2022-26500, CVE-2022-26501, CVE-2022-26504.\r\nThe first two allow an unauthenticated user to remotely execute arbitrary code, and the third one, lets domain\r\nusers do the same. After any of the three are exploited, the malware outputs the following in the control panel:\r\nUser name\r\nEncrypted password\r\nDecrypted password\r\nUser description in the Credentials table of Veeam: group membership, permissions and so on\r\nThe malware is not exclusive to the Cuba gang. We spotted it also in attacks by other groups, such as Conti and\r\nYanluowang.\r\nActivity we saw on SRV_Service after Veeamp finished its job was similar to what we had observed on\r\nSRV_STORAGE with Bughatch:\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 14 of 26\n\nBughatch activity on SRV_Service\r\nAs was the case with SRV_STORAGE, the malware dropped three files into the temp folder, and then executed\r\nthese in the same order, connecting to the same addresses.\r\nAvast Anti-Rootkit driver\r\nAfter Bughatch successfully established a connection to its C2, we watched as the group used an increasingly\r\npopular technique: Bring Your Own Vulnerable Driver (BYOVD).\r\nExploiting a vulnerable driver\r\nThe malicious actors install the vulnerable driver in the system and subsequently use it to various ends, such as\r\nterminating processes or evading defenses through privilege escalation to kernel level.\r\nHackers are drawn to vulnerable drivers because they all run in kernel mode, with a high level of system access.\r\nBesides, a legitimate driver with a digital signature will not raise any red flags with security systems, helping the\r\nattackers to stay undetected for longer.\r\nDuring the attack, the malware created three files in the temp folder:\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 15 of 26\n\naswarpot.sys: a legitimate anti-rootkit driver by Avast that has two vulnerabilities: CVE-2022-26522 and\r\nCVE-2022-26523, which allow a user with limited permissions to run code at kernel level.\r\nKK.exe: malware known as Burntcigar. The file we found was a new variety that used the flawed driver to\r\nterminate processes.\r\nav.bat batch script: a stager that helps the kernel service to run the Avast driver and executes Burntcigar.\r\nAnalysis of the BAT file and telemetry data suggests that av.bat uses the sc.exe utility to create a service named\r\n“aswSP_ArPot2”, specifying the path to the driver in the С\\windows\\temp\\ directory and the service type as\r\nkernel service. The BAT file then starts the service with the help of the same sc.exe utility and runs KK.exe, which\r\nconnects to the vulnerable driver.\r\nContents of the .bat file that we found\r\nBurntcigar\r\nThe first thing we noticed while looking into Burntcigar was the path to the PDB file, which contained a folder\r\ncuriously named “Musor” (the Russian for “trash”), more indication that the members of the Cuba gang may\r\nspeak Russian.\r\nPath to the KK.exe PDB file\r\nWe further discovered that the sample at hand was a new version of Burntcigar, undetectable by security systems\r\nat the time of the incident. The hackers had apparently updated the malware, as in the wake of previous attacks,\r\nmany vendors were able to easily detect the logic run by older versions.\r\nYou may have noticed that in the screenshot of our sample below, all data about processes to be terminated is\r\nencrypted, whereas older versions openly displayed the names of all processes that the attackers wanted stopped.\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 16 of 26\n\nComparison between the old and new version of Burntcigar\r\nThe malware searches for process names that suggest a relation to popular AV or EDR products and adds their\r\nprocess IDs to the stack to terminate later.\r\nBurntcigar uses the DeviceIoContol function to access the vulnerable Avast driver, specifying the location of the\r\ncode that contains the security issue as an execution option. The piece of code contains the ZwTerminateProcess\r\nfunction, which the attackers use for terminating processes.\r\nAnalysis of Burntcigar\r\nFortunately, our product’s self-defense was able to cope with the malware by blocking all hooks to the driver.\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 17 of 26\n\nLater, we discovered similar activity exploiting the Avast anti-rootkit driver on the Exchange server and the\r\nSRV_STORAGE host. In both cases, the attackers used a BAT file to install the insecure driver and then start\r\nBurntcigar.\r\nBurntcigar activity on the neighboring hosts\r\nSRV_MAIL host (Exchange server)\r\nOn December 20, the customer granted our request to add the Exchange server to the scope of monitoring. The\r\nhost must have been used as an entry point to the customer network, as the server was missing critical updates,\r\nand it was susceptible to most of the group’s initial access vectors. In particular, SRV_MAIL had the ProxyLogon,\r\nProxyShell and Zerologon vulnerabilities still unremediated. This is why we believe that the attackers penetrated\r\nthe customer network through the Exchange server.\r\nTelemetry data starts coming in\r\nOn SRV_MAIL, the SqlDbAdmin user showed the same kind of activity as that which we had observed on the\r\nprevious hosts.\r\nMalicious activity by SqlDbAdmin\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 18 of 26\n\nWe found that the attackers were using the legitimate gotoassistui.exe tool for transferring malicious files between\r\nthe infected hosts.\r\nGoToAssist is an RDP support utility often used by technical support teams, but the application is often abused to\r\nbypass any security defenses or response teams when moving files between systems.\r\nSending malicious files via gotoassistui.exe\r\nWe also found that new Bughatch samples were being executed. These used slightly different file names, callback\r\nfunctions and C2 servers, as our systems were successfully blocking older versions of the malware at that time.\r\nBughatch activity\r\nSqlDbAdmin\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 19 of 26\n\nWe wondered who that SqlDbAdmin was. The answer came through a suspicious DLL, addp.dll, which we found\r\nmanually on a compromised host.\r\nSuspicious dynamic library\r\nWe found that it used the WIN API function NetUserAdd to create the user. The name and password were hard-coded inside the DLL.\r\nAnalysis of addp.dll\r\nAs we looked further into the library, we found that it used the RegCreateKey function to enable RDP sessions\r\nfor the newly created user by modifying a registry setting. The library then added the user to the Special Account\r\nregistry tree to hide it from the system login screen, an interesting and fairly unconventional persistence\r\ntechnique. In most cases, bad actors add new users with the help of scripts thatsecurity products rarely miss.\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 20 of 26\n\nAnalysis of addp.dll\r\nCobalt Strike\r\nWe found a suspicious DLL, ion.dll, running on the Exchange server as part of the rundll32 process with unusual\r\nexecution options. At first, we figured that the activity was similar to what we had earlier seen with Bughatch.\r\nHowever, further analysis showed that the library was, in fact, a Cobalt Strike Beacon.\r\nExecution of the suspicious ion.dll file\r\nWhen we were looking at the ion.dll code, what caught our attention was execution settings and a function that\r\nuses the Cobalt Strike configuration. The library used the VirtualAlloc function for allocating process memory to\r\nexecute the Cobalt Strike Beacon payload in, later.\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 21 of 26\n\nAnalysis of ion.dll\r\nAll configuration data was encrypted, but we did find the function used for decrypting that. To find the Cobalt\r\nStrike C2 server, we inspected a rundll32 memory dump with ion.dll loaded into it, running with the same settings\r\nit did on the victim host.\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 22 of 26\n\nMemory dump of rundll32\r\nFinding out the name of the C2 helped us to locate the history of communications with that server within the\r\ntelemetry data. After the malware connected to the C2, it downloaded two suspicious files into the Windows folder\r\non the infected server and then executed these. Unfortunately, we were not able to obtain the two files for analysis,\r\nas the hackers had failed to disable security at the previous step, and the files were wiped off the infected host. We\r\ndo believe, though, that what we were dealing with was the ransomware itself.\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 23 of 26\n\nCommunications with the attackers’ C2 server\r\nThe customer promptly isolated the affected hosts and forwarded the incident to the Kaspersky Incident Response\r\nteam for further investigation and search for possible artifacts. This was the last we saw of the malicious actor’s\r\nactivity in the customer system. The hosts avoided encryption thanks to the customer following our\r\nrecommendations and directions, and responding to the incident in time.\r\nNew malware\r\nWe found that VirusTotal contained new samples of the Cuba malware with the same file metadata as the ones in\r\nthe incident described above. Some of those samples had successfully evaded detection by all cybersecurity\r\nvendors. We ran our analysis on each of the samples. As you can see from the screenshot below, these are new\r\nversions of Burntcigar using encrypted data for anti-malware evasion. We have made Yara rules that detect these\r\nnew samples, and we are providing these in the attachment to this article.\r\nNew malware samples\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 24 of 26\n\nBYOVD (Bring Your Own Vulnerable Driver)\r\nWe will now take a closer look at an attack that uses insecure drivers, which we observed as we investigated the\r\nincident and which is currently growing in popularity as various APT and ransomware gangs add it to their\r\narsenals.\r\nBring Your Own Vulnerable Driver (BYOVD) is a type of attack where the bad actor uses legitimate signed\r\ndrivers that are known to contain a security hole to execute malicious actions inside the system. If successful, the\r\nattacker will be able to exploit the vulnerabilities in the driver code to run any malicious actions at kernel level!\r\nUnderstanding why this is one of the most dangerous kinds of attacks takes a quick refresher on what drivers are.\r\nA driver is a type of software that acts as an intermediary between the operating system and the device. The driver\r\nconverts OS instructions into commands that the device can interpret and execute. A further use of drivers is\r\nsupporting applications or features that the operating system originally lacks. As you can see from the image\r\nbelow, the driver is a layer of sorts between user mode and kernel mode.\r\nApplications running in user mode have fewer privileges to control the system. All they can get access to is a\r\nvirtualized memory area that is isolated and protected from the rest of the system. The driver runs inside the kernel\r\nmemory, and it can execute any operations just like the kernel itself. The driver can get access to critical security\r\nstructures and modify those. Modifications like that make the system liable to attacks that use privilege escalation,\r\ndisabling of OS security services, and arbitrary reading and writing.\r\nThe Lazarus gang made use of that technique in 2021 as they gained write access to kernel memory and disabled\r\nWindows security features by abusing a Dell driver that contained the CVE-2021-21551 vulnerability.\r\nThere is no sure-fire defense from legitimate drivers, because any driver could prove to have a security flaw.\r\nMicrosoft has published a list of recommendations to protect against this type of techniques:\r\nEnable Hypervisor-Protected Code Integrity.\r\nEnable Memory Integrity.\r\nEnable validation of driver digital signatures.\r\nUse the vulnerable driver blocklist.\r\nHowever, studies suggest that the recommendations are irrelevant even with every Windows protection feature\r\nenabled, and attacks like these go through anyway.\r\nTo counter this technique, many security vendors started adding a self-defense module into their products that\r\nprevents malware from terminating processes and blocks every attempt at exploiting vulnerable drivers. Our\r\nproducts have that feature too, and it proved effective during the incident.\r\nConclusion\r\nThe Cuba cybercrime gang employs an extensive arsenal of both publicly available and custom-made tools, which\r\nit keeps up to date, and various techniques and methods including fairly dangerous ones, such as BYOVD.\r\nCombating attacks at this level of complexity calls for sophisticated technology capable of detecting advanced\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 25 of 26\n\nthreats and protecting security features from being disabled, and a massive, continuously updated threat\r\nknowledge base that helps to detect malicious artifacts manually.\r\nThe incident detailed in this article shows that investigation of real-life cyberattacks and incident response, such as\r\nManaged Detection and Response (MDR), are sources of the latest information about malicious tactics, techniques\r\nand procedures. In particular, during this investigation, we discovered new and previously undetected samples of\r\nthe Cuba malware, and artifacts suggesting that at least some of the gang members spoke Russian.\r\nThat said, effective investigation and response begin with knowledge of current cyberthreats, which is available\r\nfrom Threat Intelligence services. At Kaspersky, the Threat Intelligence and MDR teams work closely while\r\nexchanging data and enhancing their services all the time.\r\nAppendix\r\nSigma and YARA rules: https://github.com/BlureL/SigmaYara-Rules\r\nIndicators of Compromise: Download PDF\r\nMitre ATT\u0026CK matrices: Download PDF\r\nSource: https://securelist.com/cuba-ransomware/110533/\r\nhttps://securelist.com/cuba-ransomware/110533/\r\nPage 26 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/cuba-ransomware/110533/" ], "report_names": [ "110533" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "fecc0d5a-3654-425d-9290-b6d0b4105463", "created_at": "2023-10-17T02:00:08.330061Z", "updated_at": "2026-04-10T02:00:03.37711Z", "deleted_at": null, "main_name": "Void Rabisu", "aliases": [ "Tropical Scorpius" ], "source_name": "MISPGALAXY:Void Rabisu", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null }, { "id": "4f56bb34-098d-43f6-a0e8-99616116c3ea", "created_at": "2024-06-19T02:03:08.048835Z", "updated_at": "2026-04-10T02:00:03.870819Z", "deleted_at": null, "main_name": "GOLD FLAMINGO", "aliases": [ "REF9019 ", "Tropical Scorpius ", "UAC-0132 ", "UAC0132 ", "UNC2596 ", "Void Rabisu " ], "source_name": "Secureworks:GOLD FLAMINGO", "tools": [ "Chanitor", "Cobalt Strike", "Cuba", "Meterpreter", "Mimikatz", "ROMCOM RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0cfbbc-2acf-4cc8-afe1-1859679c522c", "created_at": "2022-10-25T16:07:24.373716Z", "updated_at": "2026-04-10T02:00:04.963615Z", "deleted_at": null, "main_name": "Vendetta", "aliases": [ "TA2719" ], "source_name": "ETDA:Vendetta", "tools": [ "AsyncRAT", "Atros2.CKPN", "Nancrat", "NanoCore", "NanoCore RAT", "ReZer0", "Remcos", "RemcosRAT", "Remvio", "RoboSki", "Socmer", "Zurten" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434176, "ts_updated_at": 1775826699, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/56b1bd2a88c747419e309e5194cf9dcee1325b19.pdf", "text": "https://archive.orkl.eu/56b1bd2a88c747419e309e5194cf9dcee1325b19.txt", "img": "https://archive.orkl.eu/56b1bd2a88c747419e309e5194cf9dcee1325b19.jpg" } }