{
	"id": "bc0950e8-d815-4ee0-acfe-eefa6d020f56",
	"created_at": "2026-04-06T00:13:00.031337Z",
	"updated_at": "2026-04-10T03:28:28.165939Z",
	"deleted_at": null,
	"sha1_hash": "9d6d24f4cd4a2e3c7655e2f1b03e5d732ac1838a",
	"title": "#StopRansomware: Cuba Ransomware | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 145038,
	"plain_text": "#StopRansomware: Cuba Ransomware | CISA\r\nPublished: 2023-01-05 · Archived: 2026-04-05 20:31:15 UTC\r\nSummary\r\nActions to take today to mitigate cyber threats from ransomware:\r\n• Prioritize remediating known exploited vulnerabilities.\r\n• Train users to recognize and report phishing attempts.\r\n• Enable and enforce phishing-resistant multifactor authentication.\r\nNote: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for\r\nnetwork defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware\r\nadvisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of\r\ncompromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all\r\n#StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.\r\nThe FBI and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate\r\nknown Cuba ransomware IOCs and TTPs associated with Cuba ransomware actors identified through FBI investigations,\r\nthird-party reporting, and open-source reporting. This advisory updates the December 2021 FBI Flash: Indicators of\r\nCompromise Associated with Cuba Ransomware.\r\nNote: While this ransomware is known by industry as “Cuba ransomware,” there is no indication Cuba ransomware actors\r\nhave any connection or affiliation with the Republic of Cuba.\r\nSince the release of the December 2021 FBI Flash, the number of U.S. entities compromised by Cuba ransomware has\r\ndoubled, with ransoms demanded and paid on the increase.\r\nThis year, Cuba ransomware actors have added to their TTPs, and third-party and open-source reports have identified a\r\npossible link between Cuba ransomware actors, RomCom Remote Access Trojan (RAT) actors, and Industrial Spy\r\nransomware actors.\r\nFBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce\r\nthe likelihood and impact of Cuba ransomware and other ransomware operations.\r\nDownload the PDF version of this report: pdf, 649 kb.\r\nFor a downloadable copy of IOCs, see:\r\nAA22-335A.stix (STIX 148 kb).\r\n(Updated December 12, 2022) AA22-335A-2.stix (STIX, 67 kb). (End of Update.)\r\nTechnical Details\r\nOverview\r\nSince the December 2021 release of FBI Flash: Indicators of Compromise Associated with Cuba Ransomware, FBI has\r\nobserved Cuba ransomware actors continuing to target U.S. entities in the following five critical infrastructure sectors:\r\nFinancial Services, Government Facilities, Healthcare and Public Health, Critical Manufacturing, and Information\r\nTechnology. As of August 2022, FBI has identified that Cuba ransomware actors have:\r\nCompromised 101 entities, 65 in the United States and 36 outside the United States.\r\nDemanded 145 million U.S. Dollars (USD) and received 60 million USD in ransom payments.\r\nCuba Ransomware Actors’ Tactics, Techniques, and Procedures\r\nAs previously reported by FBI, Cuba ransomware actors have leveraged the following techniques to gain initial access into\r\ndozens of entities in multiple critical infrastructure sectors:\r\nKnown vulnerabilities in commercial software [T1190 ]\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-335a\r\nPage 1 of 12\n\nPhishing campaigns [T1566 ]\r\nCompromised credentials [T1078 ]\r\nLegitimate remote desktop protocol (RDP) tools [T1563.002 ]\r\nAfter gaining initial access, the actors distributed Cuba ransomware on compromised systems through Hancitor —a loader\r\nknown for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto\r\nvictims’ networks.\r\nSince spring 2022, Cuba ransomware actors have modified their TTPs and tools to interact with compromised networks and\r\nextort payments from victims.[1 ],[2 ]\r\nCuba ransomware actors have exploited known vulnerabilities and weaknesses and have used tools to elevate privileges on\r\ncompromised systems. According to Palo Alto Networks Unit 42,[2 ] Cuba ransomware actors have:\r\nExploited CVE-2022-24521 in the Windows Common Log File System (CLFS) driver to steal system tokens and\r\nelevate privileges.\r\nUsed a PowerShell script to identify and target service accounts for their associated Active Directory Kerberos ticket.\r\nThe actors then collected and cracked the Kerberos tickets offline via Kerberoasting [T1558.003 ].\r\nUsed a tool, called KerberCache, to extract cached Kerberos tickets from a host’s Local Security Authority Server\r\nService (LSASS) memory [T1003.001 ].\r\nUsed a tool to exploit CVE-2020-1472 (also known as “ZeroLogon”) to gain Domain Administrative privileges\r\n[T1068 ]. This tool and its intrusion attempts have been reportedly related to Hancitor and Qbot.\r\nAccording to Palo Alto Networks Unit 42, Cuba ransomware actors use tools to evade detection while moving laterally\r\nthrough compromised environments before executing Cuba ransomware. Specifically, the actors, “leveraged a dropper that\r\nwrites a kernel driver to the file system called ApcHelper.sys. This targets and terminates security products. The dropper was\r\nnot signed; however, the kernel driver was signed using the certificate found in the LAPSUS NVIDIA leak.\" [T1562.001 ].\r\n[2 ]\r\nIn addition to deploying ransomware, the actors have used “double extortion” techniques, in which they exfiltrate victim\r\ndata, and (1) demand a ransom payment to decrypt it and, (2) threaten to publicly release it if a ransom payment is not made.\r\n[2 ]\r\nCuba Ransomware Link to RomCom and Industrial Spy Marketplace\r\nSince spring 2022, third-party and open-source reports have identified an apparent link between Cuba ransomware actors,\r\nRomCom RAT actors, and Industrial Spy ransomware actors:\r\nAccording to Palo Alto Networks Unit 42, Cuba ransomware actors began using RomCom malware, a custom RAT,\r\nfor command and control (C2).[2 ]\r\nCuba ransomware actors may also be leveraging Industrial Spy ransomware. According to third-party reporting,\r\nsuspected Cuba ransomware actors compromised a foreign healthcare company. The threat actors deployed Industrial\r\nSpy ransomware, which shares distinct similarities in configuration to Cuba ransomware. Before deploying the\r\nransomware, the actors moved laterally using Impacket and deployed the RomCom RAT and Meterpreter Reverse\r\nShell HTTP/HTTPS proxy via a C2 server [T1090 ].\r\nCuba ransomware actors initially used their leak site to sell stolen data; however, around May 2022, the actors began\r\nselling their data on Industrial Spy’s online market for selling stolen data.[2 ]\r\nRomCom actors have targeted foreign military organizations, IT companies, food brokers and manufacturers.[3 ][4 ] The\r\nactors copied legitimate HTML code from public-facing webpages, modified the code, and then incorporated it in spoofed\r\ndomains [T1584.001 ], which allowed the RomCom actors to:\r\nHost counterfeit Trojanized applications for\r\nSolarWinds Network Performance Monitor (NPM),\r\nKeePass password manager,\r\nPDF Reader Pro, (by PDF Technologies, Inc., not an Adobe Acrobat or Reader product), and\r\nAdvanced IP Scanner software;\r\nDeploy the RomCom RAT as the final stage.\r\nINDICATORS OF COMPROMISE\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-335a\r\nPage 2 of 12\n\nSee tables 1 through 5 for Cuba ransomware IOCs that FBI obtained during threat response investigations as of late August\r\n2022. In addition to these tables, see the publications in the References section below for aid in detecting possible\r\nexploitation or compromise.\r\nNote: For IOCs as of early November 2021, see FBI Flash: Indicators of Compromise Associated with Cuba Ransomware.\r\nTable 1: Cuba Ransomware Associated Files and Hashes, as of Late August 2022\r\nFile Name File Path File Hash\r\nnetping.dll c:\\windows\\temp SHA256: f1103e627311e73d5f29e877243e7ca203292f9419303c661aec57745e\r\nshar.bat  \r\nMD5: 4c32ef0836a0af7025e97c6253054bca\r\nSHA256: a7c207b9b83648f69d6387780b1168e2f1eabd23ae6e162dd700ae8112\r\nPsexesvc.exe   SHA256: 141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b\r\n1.bat    \r\n216155s.dll    \r\n23246s.bat   SHA256: 02a733920c7e69469164316e3e96850d55fca9f5f9d19a241fad906466\r\n23246s.dll   SHA256: 0cf6399db55d40bc790a399c6bbded375f5a278dc57a143e4b21ea3f40\r\n23246st.dll   SHA256: f5db51115fa0c910262828d0943171d640b4748e51c9a140d06ea81ae6\r\n259238e.exe    \r\n31-100.bat    \r\n3184.bat    \r\n3184.dll    \r\n45.dll  \r\nSHA256:\r\n857f28b8fe31cf5db6d45d909547b151a66532951f26cda5f3320d2d4461b583\r\n4ca736d.exe    \r\n62e2e37.exe    \r\n64.235.39.82    \r\n64s.dll    \r\n7z.sfx    \r\n7zCon.sfx    \r\n7-zip.chm    \r\n82.ps1    \r\n9479.bat   SHA256: 08eb4366fc0722696edb03981f00778701266a2e57c40cd2e9d765bf8b\r\n9479p.bat   SHA256: f8144fa96c036a8204c7bc285e295f9cd2d1deb0379e39ee8a84145311\r\n9479p.ps1   SHA256: 88d13669a994d2e04ec0a9940f07ab8aab8563eb845a9c13f2b0fec497\r\na.exe\r\n  MD5: 03c835b684b21ded9a4ab285e4f686a3\r\nSHA1: eaced2fcfdcbf3dca4dd77333aaab055345f3ab4\r\nSHA256: 0f385cc69a93abeaf84994e7887cb173e889d309a515b55b2205805bdf\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-335a\r\nPage 3 of 12\n\nSHA256: 0d5e3483299242bf504bd3780487f66f2ec4f48a7b38baa6c6bc8ba16e\r\nSHA256: 7e00bfb622072f53733074795ab581cf6d1a8b4fc269a50919dda63502\r\nSHA256: af4523186fe4a5e2833bbbe14939d8c3bd352a47a2f77592d8adcb5696\r\na220.bat    \r\na220.dll   SHA256: 8a3d71c668574ad6e7406d3227ba5adc5a230dd3057edddc4d0ec5f813\r\na82.exe   SHA256: 4306c5d152cdd86f3506f91633ef3ae7d8cf0dd25f3e37bec43423c4742\r\na91.exe   SHA256: 3d4502066a338e19df58aa4936c37427feecce9ab8d43abff4a7367643a\r\na99.exe   SHA256: f538b035c3de87f9f8294bec272c1182f90832a4e86db1e47cbb1ab26c9\r\naa.exe    \r\naa2.exe    \r\naaa.stage.16549040.dns.alleivice.com    \r\nadd2.exe    \r\nadvapi32.dll    \r\nagent.13.ps1    \r\nagent.bat   SHA256: fd87ca28899823b37b2c239fbbd236c555bcab7768d67203f86d37ede1\r\nagent.dll    \r\nagent13.bat    \r\nagent13.ps1   SHA256: 1817cc163482eb21308adbd43fb6be57fcb5ff11fd74b344469190bb48\r\nagent64.bin   SHA256: bff4dd37febd5465e0091d9ea68006be475c0191bd8c7a79a44fbf4b995\r\nagsyst121.bat    \r\nagsyst121.dll    \r\nall.bat   SHA256: ecefd9bb8b3783a81ab934b44eb3d84df5e58f0289f089ef6760264352\r\nall.dll   SHA256: db3b1f224aec1a7c58946d819d729d0903751d1867113aae5cca87e38c\r\nanet.exe  \r\nSHA1: 241ce8af441db2d61f3eb7852f434642739a6cc3\r\nSHA256: 74fbf3cc44dd070bd5cb87ca2eed03e1bbeec4fec644a25621052f0a73a\r\nSHA256: b160bd46b6efc6d79bfb76cf3eeacca2300050248969decba139e9e1cbe\r\nSHA256: f869e8fbd8aa1f037ad862cf6e8bbbf797ff49556fb100f2197be4ee196a\r\nApp.exe    \r\nappnetwork.exe    \r\nAppVClient.man    \r\naswSP_arPot2    \r\naus.exe  \r\nSHA256: 0c2ffed470e954d2bf22807ba52c1ffd1ecce15779c0afdf15c292e3444c\r\nSHA256: 310afba59ab8e1bda3ef750a64bf39133e15c89e8c7cf4ac65ee463b26b\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-335a\r\nPage 4 of 12\n\nav.bat   SHA256: b5d202456ac2ce7d1285b9c0e2e5b7ddc03da1cbca51b5da98d9ad72e\r\nc2.ps1    \r\nc2.ps1    \r\ncdzehhlzcwvzcmcr.aspx    \r\ncheck.exe    \r\ncheckk.exe    \r\ncheckk.txt   SHA256: 1f842f84750048bb44843c277edeaa8469697e97c4dbf8dc571ec55226\r\nclient32.exe    \r\ncomctl32 .dll    \r\ncomp2.ps1    \r\ncomps2.ps1    \r\ncqyrrxzhumiklndm.aspx    \r\ndefendercontrol.exe    \r\nff.exe   SHA256: 1b943afac4f476d523310b8e3afe7bca761b8cbaa9ea2b9f01237ca4652\r\nFile __agsyst121.dll    \r\nFile __aswArPot.sys    \r\nFile __s9239.dll    \r\nFile_agsyst121.dll    \r\nFile_aswArPot.sys    \r\nFile_s9239.dll    \r\nga.exe    \r\ngdi32 .dll    \r\ngeumspbgvvytqrih.aspx    \r\nIObit UNLOCKER.exe    \r\nkavsa32.exe  \r\nMD5: 236f5de8620a6255f9003d054f08574b\r\nSHA1: 9b546bd99272cf4689194d698c830a2510194722\r\nkavsyst32.exe    \r\nkernel32.dll    \r\nkomar.bat  \r\nSHA256:\r\nB9AFE016DBDBA389000B01CE7645E7EEA1B0A50827CDED1CBAA48FB\r\nkomar.dll    \r\nkomar121.bat    \r\nkomar121.dll    \r\nkomar2.ps1   SHA256: 61971d3cbf88d6658e5209de443e212100afc8f033057d9a4e79000f6f\r\nkomar64.dll  \r\nSHA256:\r\n8E64BACAF40110547B334EADCB0792BDC891D7AE298FBFFF136712579\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-335a\r\nPage 5 of 12\n\nmfcappk32.exe    \r\nnewpass.ps1   SHA256: c646199a9799b6158de419b1b7e36b46c7b7413d6c35bfffaeaa8700b2\r\nnpalll.exe   SHA256: bd270853db17f94c2b8e4bd9fa089756a147ed45cbc44d6c2b0c78f361\r\nole32.dll    \r\noleaut32.dll    \r\nopen.bat  \r\nSHA256:\r\n2EB3EF8A7A2C498E87F3820510752043B20CBE35B0CBD9AF3F69E8B8F\r\nopen.exe    \r\npass.ps1   SHA256: 0afed8d1b7c36008de188c20d7f0e2283251a174261547aab7fb56e31d\r\npdfdecrypt.exe    \r\npowerview.ps1    \r\nprt3389.bat   SHA256: e0d89c88378dcb1b6c9ce2d2820f8d773613402998b8dcdb024858010\r\nra.ps1   SHA256: 571f8db67d463ae80098edc7a1a0cad59153ce6592e42d370a45df46f1\r\nrg1.exe    \r\nRg2.exe    \r\nrundll32    \r\ns64174.bat  \r\nSHA256: 10a5612044599128981cb41d71d7390c15e7a2a0c2848ad751c3da1cb\r\nSHA256: 1807549af1c8fdc5b04c564f4026e41790c554f339514d326f8b55cb7b\r\ns64174.dll    \r\ns9239.bat    \r\ns9239.dll    \r\nshell32.dll    \r\nstel.exe    \r\nsyskav64.exe    \r\nsysra64,exe    \r\nsystav332.bat   SHA256: 01242b35b6def71e42cc985e97d618e2fabd616b16d23f7081d575364d\r\nTC-9.22a.2019.3.exe    \r\nTeamViewer.exe    \r\ntestDLL.dll    \r\ntug4rigd.dll   SHA256: 952b34f6370294c5a0bb122febfaa80612fef1f32eddd48a3d0556c4286\r\nUpdateNotificationPipeline.002.etl    \r\nuser32.dll    \r\nv1.bat    \r\nv2.bat    \r\nv3.bat    \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-335a\r\nPage 6 of 12\n\nveeamp.exe   SHA256: 9aa1f37517458d635eae4f9b43cb4770880ea0ee171e7e4ad155bbdee0\r\nversion.dll    \r\nvlhqbgvudfnirmzx.aspx    \r\nwininet.dll    \r\nwlog.exe    \r\nwpeqawzp.sys    \r\ny3lcx345.dll    \r\nzero.exe   SHA256: 3a8b7c1fe9bd9451c0a51e4122605efc98e7e4e13ed117139a13e4749e\r\n     \r\n     \r\nTable 2: Cuba Ransomware Associated Email Addresses, as of Late August 2022\r\nEmail Provider Email Addresses\r\nCuba-supp[.]com admin@cuba-supp[.]com\r\nEncryption-support[.]com admin@encryption-support[.]com\r\nMail.supports24[.]net inbox@mail.supports24[.]net\r\nTable 3: Cuba Ransomware Associated Jabber Address, as of Late August 2022\r\ncuba_support@exploit[.]im\r\nTable 4: IP Addresses Associated with Cuba Ransomware, as of Late August 2022\r\nNote: Some of these observed IP addresses are more than a year old. FBI and CISA recommend vetting or investigating\r\nthese IP addresses prior to taking forward-looking action such as blocking.\r\n193.23.244[.]244 144.172.83[.]13 216.45.55[.]30\r\n94.103.9[.]79 149.255.35[.]131 217.79.43[.]148\r\n192.137.101[.]46 154.35.175[.]225 222.252.53[.]33\r\n92.222.172[.]39 159.203.70[.]39 23.227.198[.]246\r\n92.222.172[.]172 171.25.193[.]9 31.184.192[.]44\r\n10.13.102[.]1 185.153.199[.]169 37.120.247[.]39\r\n10.13.102[.]58 192.137.100[.]96 37.44.253[.]21\r\n10.133.78[.]41 192.137.100[.]98 38.108.119[.]121\r\n10.14.100[.]20 192.137.101[.]205 45.164.21[.]13\r\n103.114.163[.]197 193.34.167[.]17 45.32.229[.]66\r\n103.27.203[.]197 194.109.206[.]212 45.86.162[.]34\r\n104.217.8[.]100 195.54.160[.]149 45.91.83[.]176\r\n107.189.10[.]143 199.58.81[.]140 64.52.169[.]174\r\n108.170.31[.]115 204.13.164[.]118 64.235.39[.]82\r\n128.31.0[.]34 209.76.253[.]84 79.141.169[.]220\r\n128.31.0[.]39 212.192.241[.]230 84.17.52[.]135\r\n131.188.40[.]189 213.32.39[.]43 86.59.21[.]38\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-335a\r\nPage 7 of 12\n\n141.98.87[.]124 216.45.55[.]3  \r\nTable 5: Cuba Bitcoin Wallets Receiving Payments, as of Late August 2022\r\nbc1q4vr25xkth35qslenqwd7aw020w85qrvlrhv7hc\r\nbc1q5uc0fdnz0ve5pg4nl4upa9ly586t6wmnghfe7x\r\nbc1q6rsj3cn37dngypu5kad9gdw5ykhctpwhjvun3z\r\nbc1q6zkemtyyrre2mkk23g93zyq98ygrygvx7z2q0t\r\nbc1q9cj0n9k2m282x0nzj6lhqjvhkkd4h95sewek83\r\nbc1qaselp9nhejc3safcq3vn5wautx6w33x0llk7dl\r\nbc1qc48q628t93xwzljtvurpqhcvahvesadpwqtsza\r\nbc1qgsuf5m9tgxuv4ylxcmx8eeqn3wmlmu7f49zkus\r\nbc1qhpepeeh7hlz5jvrp50uhkz59lhakcfvme0w9qh\r\nbc1qjep0vx2lap93455p7h29unruvr05cs242mrcah\r\nbc1qr9l0gcl0nvmngap6ueyy5gqdwvm34kdmtevjyx\r\nbc1qs3lv77udkap2enxv928x59yuact5df4t95rsqr\r\nbc1qyd05q2m5qt3nwpd3gcqkyer0gspqx5p6evcf7h\r\nbc1qzz7xweq8ee2j35tq6r5m687kctq9huskt50edv\r\nbc1qvpk8ksl3my6kjezjss9p28cqj4dmpmmjx5yl3y\r\nbc1qhtwfcysclc7pck2y3vmjtpzkaezhcm6perc99x\r\nbc1qft3s53ur5uq5ru6sl3zyr247dpr55mnggwucd3\r\nbc1qp7h9fszlqxjwyfhv0upparnsgx56x7v7wfx4x7\r\nbc1q4vr25xkth35qslenqwd7aw020w85qrvlrhv7hc\r\nbc1q5uc0fdnz0ve5pg4nl4upa9ly586t6wmnghfe7x\r\nbc1q6rsj3cn37dngypu5kad9gdw5ykhctpwhjvun3z\r\nbc1q6zkemtyyrre2mkk23g93zyq98ygrygvx7z2q0t\r\nbc1q9cj0n9k2m282x0nzj6lhqjvhkkd4h95sewek83\r\nbc1qaselp9nhejc3safcq3vn5wautx6w33x0llk7dl\r\nbc1qc48q628t93xwzljtvurpqhcvahvesadpwqtsza\r\nbc1qgsuf5m9tgxuv4ylxcmx8eeqn3wmlmu7f49zkus\r\nbc1qhpepeeh7hlz5jvrp50uhkz59lhakcfvme0w9qh\r\nbc1qjep0vx2lap93455p7h29unruvr05cs242mrcah\r\nbc1qr9l0gcl0nvmngap6ueyy5gqdwvm34kdmtevjyx\r\nbc1qs3lv77udkap2enxv928x59yuact5df4t95rsqr\r\nbc1qyd05q2m5qt3nwpd3gcqkyer0gspqx5p6evcf7h\r\nbc1qzz7xweq8ee2j35tq6r5m687kctq9huskt50edv\r\nSee figure 1 for an example of a Cuba ransomware note.\r\nFigure 1: Sample Cuba Ransom Note 2, as of late August 2022\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-335a\r\nPage 8 of 12\n\nGreetings! Unfortunately we have to report that your company were\r\ncompromised. All your files were\r\nencrypted and you can’t restore them without our private key. Trying\r\nto restore it without our help may\r\ncause complete loss of your data. Also we researched whole your\r\ncorporate network and downloaded all\r\nyour sensitive data to our servers. If we will not get any contact\r\nfrom you in the next 3 days we will public\r\nit in our news site.\r\nYou can find it there (\r\nhttps[:]// cuba4ikm4jakjgmkeztyawtdgr2xymvy6nvgw5cglswg3si76icnqd.onion/ )\r\nTor Browser is needed ( https[:]//www.torproject.org/download/ )\r\nAlso we respect your work and time and we are open for communication.\r\nIn that case we are ready to discuss\r\nrecovering your files and work. We can grant absolute privacy and\r\ncompliance with agreements by our side.\r\nAlso we can provide all necessary evidence to confirm performance of\r\nour products and statements.\r\nFeel free to contact us with quTox ( https[:]//tox.chat/download.html )\r\nOur ToxID: 37790E2D198DFD20C9D2887D4EF7C3E295188842480192689864DCCA3C8BD808A18956768271\r\nAlternative method is email: inbox@mail.supports24[.]net\r\nMark your messages with your personal ID:\r\nAdditional resources to detect possible exploitation or compromise:\r\nPalo Alto Networks Novel News on Cuba Ransomware: Greetings From Tropical Scorpius\r\nBlackBerry blog RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the\r\nUnited Kingdom\r\nBlackBerry blog Unattributed RomCom Threat Actor Spoofing Popular Apps Now Hits Ukrainian Militaries\r\nMITRE ATT\u0026CK TECHNIQUES\r\nCuba ransomware actors use the ATT\u0026CK techniques listed in Table 6. Note: For details on TTPs listed in the table, see FBI\r\nFlash Indicators of Compromise Associated with Cuba Ransomware.\r\nResource Development\r\nTechnique Title ID Use\r\nCompromise Infrastructure:\r\nDomains\r\nT1584.001 Cuba ransomware actors use compromised networks to conduct\r\ntheir operations.\r\nInitial Access\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-335a\r\nPage 9 of 12\n\nTechnique Title ID Use\r\nValid Accounts T1078\r\nCuba ransomware actors have been known to use compromised\r\ncredentials to get into a victim’s network.\r\nExternal Remote Services T1133\r\nCuba ransomware actors may leverage external-facing remote\r\nservices to gain initial access to a victim’s network.\r\nExploit Public-Facing Application T1190\r\nCuba ransomware actors are known to exploit vulnerabilities in\r\npublic-facing systems.\r\nPhishing T1566\r\nCuba ransomware actors have sent phishing emails to obtain\r\ninitial access to systems.\r\nExecution\r\nTechnique Title ID Use\r\nCommand and Scripting Interpreter:\r\nPowerShell\r\nT1059.001 Cuba ransomware actors have used PowerShell to escalate\r\nprivileges.\r\nSoftware Deployment Tools T1072\r\nCuba ransomware actors use Hancitor as a tool to spread\r\nmalicious files throughout a victim’s network.\r\nPrivilege Escalation\r\nTechnique Title ID Use\r\nExploitation for Privilege Escalation T1068\r\nCuba ransomware actors have exploited ZeroLogon to gain\r\nadministrator privileges.[2 ]\r\nDefense Evasion\r\nTechnique Title ID Use\r\nImpair Defenses: Disable or Modify\r\nTools\r\nT1562.001 Cuba ransomware actors leveraged a loader that disables\r\nsecurity tools within the victim network.\r\nLateral Movement\r\nTechnique Title ID Use\r\nRemote Services Session: RDP\r\nHijacking\r\nT1563.002\r\nCuba ransomware actors used RDP sessions to move laterally.\r\nCredential Access\r\nTechnique Title ID Use\r\nCredential Dumping: LSASS\r\nMemory\r\nT1003.001 Cuba ransomware actors use LSASS memory to retrieve stored\r\ncompromised credentials.\r\nSteal or Forge Kerberos Tickets:\r\nKerberoasting\r\nT1558.003 Cuba ransomware actors used the Kerberoasting technique to\r\nidentify service accounts linked to active directory.[2 ]\r\nCommand and Control\r\nTechnique Title ID Use\r\nProxy: Manipulate Command and\r\nControl Communications\r\nT1090\r\nIndustrial Spy ransomware actors use HTTP/HTTPS proxy via a\r\nC2 server to direct traffic to avoid direct connection. [2 ]\r\nMitigations\r\nFBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common\r\nsystem and network discovery techniques and to reduce the risk of compromise by Cuba ransomware:\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-335a\r\nPage 10 of 12\n\nImplement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a\r\nphysically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).\r\nRequire all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to\r\ncomply with National Institute for Standards and Technology (NIST) standards for developing and managing\r\npassword policies.\r\nUse longer passwords consisting of at least 8 characters and no more than 64 characters in length.\r\nStore passwords in hashed format using industry-recognized password managers.\r\nAdd password user “salts” to shared login credentials.\r\nAvoid reusing passwords.\r\nImplement multiple failed login attempt account lockouts.\r\nDisable password “hints.”\r\nRefrain from requiring password changes more frequently than once per year.\r\nNote: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password\r\nresets. Frequent password resets are more likely to result in users developing password “patterns” cyber\r\ncriminals can easily decipher.\r\nRequire administrator credentials to install software.\r\nRequire multifactor authentication for all services to the extent possible, particularly for webmail, virtual private\r\nnetworks, and accounts that access critical systems.\r\nKeep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and\r\ncost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching\r\nSonicWall firewall vulnerabilities and known exploited vulnerabilities in internet-facing systems. Note: SonicWall\r\nmaintains a vulnerability list that includes Advisory ID, CVE, and mitigation. Their list can be found at\r\npsirt.global.sonicwall.com/vuln-list .\r\nSegment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of\r\nransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary\r\nlateral movement.\r\nIdentify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a\r\nnetworking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network\r\ntraffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are\r\nparticularly useful for detecting lateral connections as they have insight into common and uncommon network\r\nconnections for each host.\r\nInstall, regularly update, and enable real time detection for antivirus software on all hosts.\r\nReview domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.\r\nAudit user accounts with administrative privileges and configure access controls according to the principle of least\r\nprivilege.\r\nDisable unused ports.\r\nConsider adding an email banner to emails received from outside your organization.\r\nDisable hyperlinks in received emails.\r\nImplement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT)\r\naccess method provisions privileged access when needed and can support enforcement of the principle of least\r\nprivilege (as well as the Zero Trust model). JIT sets a network-wide policy in place to automatically disable admin\r\naccounts at the Active Directory level when the account is not in direct need. Individual users may submit their\r\nrequests through an automated process that grants them access to a specified system for a set timeframe when they\r\nneed to support the completion of a certain task.\r\nDisable command-line and scripting activities and permissions. Privilege escalation and lateral movement often\r\ndepend on software utilities running from the command line. If threat actors are not able to run these tools, they will\r\nhave difficulty escalating privileges and/or moving laterally.\r\nMaintain offline backups of data, and regularly maintain backup and restoration. By instituting this practice, the\r\norganization ensures they will not be severely interrupted, and/or only have irretrievable data.\r\nEnsure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire\r\norganization’s data infrastructure.\r\nRESOURCES\r\nStopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources\r\nand alerts.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-335a\r\nPage 11 of 12\n\nResource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC)\r\nJoint Ransomware Guide.\r\nNo-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment .\r\nREPORTING\r\nFBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP\r\naddresses, a sample ransom note, communications with ransomware actors, Bitcoin wallet information, decryptor files,\r\nand/or a benign sample of an encrypted file.\r\nFBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore,\r\npayment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the\r\ndistribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay\r\nthe ransom, FBI and CISA urge you to promptly report ransomware incidents immediately. Report to a local FBI Field\r\nOffice, or CISA at us-cert.cisa.gov/report.\r\nDISCLAIMER\r\nThe information in this report is being provided “as is” for informational purposes only. FBI and CISA do not endorse any\r\ncommercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes,\r\nor services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement,\r\nrecommendation, or favoring by FBI or CISA.\r\nACKNOWLEDGEMENTS\r\nFBI and CISA would like to thank BlackBerry, ESET, The National Cyber-Forensics and Training Alliance (NCFTA), Palo\r\nAlto Networks, and PRODAFT for their contributions to this CSA.\r\nReferences\r\n[1] Palo Alto Networks: Tropical Scorpius\r\n[2] Palo Alto Networks: Novel News on Cuba Ransomware - Greetings From Tropical Scorpius\r\n[3] BlackBerry: Unattributed RomCom Threat Actor Spoofing Popular Apps Now Hits Ukrainian Militaries\r\n[4] BlackBerry: RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the United\r\nKingdom\r\nRevisions\r\nDecember 1, 2022: Initial Version|December 12, 2022: Added new IP addresses and IOCs\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-335a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-335a\r\nPage 12 of 12\n\nbc1qzz7xweq8ee2j35tq6r5m687kctq9huskt50edv See figure 1 for an example of a Cuba ransomware note.  \nFigure 1: Sample Cuba Ransom Note 2, as of late August 2022\n  Page 8 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-335a"
	],
	"report_names": [
		"aa22-335a"
	],
	"threat_actors": [
		{
			"id": "d4b9608d-af69-43bc-a08a-38167ac6306a",
			"created_at": "2023-01-06T13:46:39.335061Z",
			"updated_at": "2026-04-10T02:00:03.291149Z",
			"deleted_at": null,
			"main_name": "LAPSUS",
			"aliases": [
				"Lapsus",
				"LAPSUS$",
				"DEV-0537",
				"SLIPPY SPIDER",
				"Strawberry Tempest",
				"UNC3661"
			],
			"source_name": "MISPGALAXY:LAPSUS",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "fecc0d5a-3654-425d-9290-b6d0b4105463",
			"created_at": "2023-10-17T02:00:08.330061Z",
			"updated_at": "2026-04-10T02:00:03.37711Z",
			"deleted_at": null,
			"main_name": "Void Rabisu",
			"aliases": [
				"Tropical Scorpius"
			],
			"source_name": "MISPGALAXY:Void Rabisu",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "555e2cac-931d-4ad4-8eaa-64df6451059d",
			"created_at": "2023-01-06T13:46:39.48103Z",
			"updated_at": "2026-04-10T02:00:03.342729Z",
			"deleted_at": null,
			"main_name": "RomCom",
			"aliases": [
				"UAT-5647",
				"Storm-0978"
			],
			"source_name": "MISPGALAXY:RomCom",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d58052ba-978b-4775-985a-26ed8e64f98c",
			"created_at": "2023-09-07T02:02:48.069895Z",
			"updated_at": "2026-04-10T02:00:04.946879Z",
			"deleted_at": null,
			"main_name": "Tropical Scorpius",
			"aliases": [
				"DEV-0978",
				"RomCom",
				"Storm-0671",
				"Storm-0978",
				"TA829",
				"Tropical Scorpius",
				"UAC-0180",
				"UNC2596",
				"Void Rabisu"
			],
			"source_name": "ETDA:Tropical Scorpius",
			"tools": [
				"COLDDRAW",
				"Cuba",
				"Industrial Spy",
				"PEAPOD",
				"ROMCOM",
				"ROMCOM RAT",
				"SingleCamper",
				"SnipBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4f56bb34-098d-43f6-a0e8-99616116c3ea",
			"created_at": "2024-06-19T02:03:08.048835Z",
			"updated_at": "2026-04-10T02:00:03.870819Z",
			"deleted_at": null,
			"main_name": "GOLD FLAMINGO",
			"aliases": [
				"REF9019 ",
				"Tropical Scorpius ",
				"UAC-0132 ",
				"UAC0132 ",
				"UNC2596 ",
				"Void Rabisu "
			],
			"source_name": "Secureworks:GOLD FLAMINGO",
			"tools": [
				"Chanitor",
				"Cobalt Strike",
				"Cuba",
				"Meterpreter",
				"Mimikatz",
				"ROMCOM RAT"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434380,
	"ts_updated_at": 1775791708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9d6d24f4cd4a2e3c7655e2f1b03e5d732ac1838a.pdf",
		"text": "https://archive.orkl.eu/9d6d24f4cd4a2e3c7655e2f1b03e5d732ac1838a.txt",
		"img": "https://archive.orkl.eu/9d6d24f4cd4a2e3c7655e2f1b03e5d732ac1838a.jpg"
	}
}