{
	"id": "104cc0b1-40f9-4f5f-a331-c121ea7013cc",
	"created_at": "2026-04-06T00:06:17.913117Z",
	"updated_at": "2026-04-10T03:21:09.303099Z",
	"deleted_at": null,
	"sha1_hash": "b3284d6ad335915bc82a5cde072fcee552390d91",
	"title": "Cuba Ransomware Group’s New Variant Found Using Optimized Infection Techniques",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 200133,
	"plain_text": "Cuba Ransomware Group’s New Variant Found Using Optimized\r\nInfection Techniques\r\nBy By: Don Ovid Ladores Jun 08, 2022 Read time: 3 min (799 words)\r\nPublished: 2022-06-08 · Archived: 2026-04-05 13:25:13 UTC\r\nCuba ransomwareopen on a new tab is a malware family that has been seasonally detected since it was first observed in\r\nFebruary 2020open on a new tab. It resurfaced in November 2021open on a new tab based on the FBI’s official noticeopen\r\non a new tab, and has reportedlyopen on a new tab attacked 49 organizations in five critical infrastructure sectors,\r\namassing at least US$ 43.9 million in ransom payments.  \r\nWe observed Cuba ransomware’s resurgence in March and April this year. Our monitoring showed that the malware\r\nauthors seem to be pushing some updates to the current binary of a new variant. The samples we examined in March and\r\nApril used BUGHATCH, a custom downloader that the malicious actor did not employ in previous variants specifically for\r\nthe staging phase of the infection routine.\r\nIn late April we also noticed another variant of the ransomware, this time targeting two organizations based in Asia. This\r\nblog entry focuses on our analysis of the latest samples uncovered from this period.\r\nWhile the updates to Cuba ransomware did not change much in terms of overall functionality, we have reason to believe\r\nthat the updates aim to optimize its execution, minimize unintended system behavior, and provide technical support to the\r\nransomware victims if they choose to negotiate.\r\nOur analysis of the new variant revealed that the malicious actor added some processes and services to terminate the\r\nfollowing:\r\nMySQL\r\nMySQL80\r\nSQLSERVERAGENT\r\nMSSQLSERVER\r\nSQLWriter\r\nSQLTELEMETRY\r\nMSDTC\r\nSQLBrowser\r\nsqlagent.exe\r\nsqlservr.exe\r\nsqlwriter.exe\r\nsqlceip.exe\r\nmsdtc.exe\r\nsqlbrowser.exe\r\nvmcompute\r\nvmms\r\nvmwp.exe\r\nvmsp.exe\r\noutlook.exe\r\nhttps://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html\r\nPage 1 of 6\n\nMSExchangeUMCR\r\nMSExchangeUM\r\nMSExchangeTransportLogSearch\r\nMSExchangeTransport\r\nMSExchangeThrottling\r\nMSExchangeSubmission\r\nMSExchangeServiceHost\r\nMSExchangeRPC\r\nMSExchangeRepl\r\nMSExchangePOP3BE\r\nMSExchangePop3\r\nMSExchangeNotificationsBroker\r\nMSExchangeMailboxReplication\r\nMSExchangeMailboxAssistants\r\nMSExchangeIS\r\nMSExchangeIMAP4BE\r\nMSExchangeImap4\r\nMSExchangeHMRecovery\r\nMSExchangeHM\r\nMSExchangeFrontEndTransport\r\nMSExchangeFastSearch\r\nMSExchangeEdgeSync\r\nMSExchangeDiagnostics\r\nMSExchangeDelivery\r\nMSExchangeDagMgmt\r\nMSExchangeCompliance\r\nMSExchangeAntispamUpdate\r\nMicrosoft.Exchange.Store.Worker.exe\r\nhttps://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html\r\nPage 2 of 6\n\nFigure 1. Screenshot of the list of processes and services that the Cuba ransomware seeks to terminate\r\nAnother apparent change is the expansion of the safelisted directories and file extensions that it will avoid encrypting:\r\nDirectory Safelist:\r\n\\windows\\\r\n\\program files\\microsoft office\\\r\n\\program files (x86)\\microsoft office\\\r\n\\program files\\avs\\\r\n\\program files (x86)\\avs\\\r\n\\$recycle.bin\\\r\n\\boot\\\r\n\\recovery\\\r\n\\system volume information\\\r\n\\msocache\\\r\n\\users\\all users\\\r\n\\users\\default user\\\r\n\\users\\default\\\r\nhttps://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html\r\nPage 3 of 6\n\n\\temp\\\r\n\\inetcache\\\r\n\\google\\\r\nExtension Safelist:\r\n.exe\r\n.dll\r\n.sys\r\n.ini\r\n.lnk\r\n.vbm\r\n.cuba\r\nFigure 2. Array of directories it excludes from encryption\r\nWe compared the new variant used in late April 2022 to the previous ones and found that the former did not have all the\r\ncommands or functions that came with the latter. The malicious actors only retained two commands in the new one that are\r\ndirectory- or location-related phrases. These are as follows:\r\nlocal\r\nnetwork\r\nNotably, the wording of the ransom note used in the latest variant (see Figure 4) is different from the previous one that the\r\nmalicious actors used in the samples we analyzed in March this year, but the onion site indicated in both ransom notes is\r\nthe same. The ransom note used in late April 2022 explicitly states that they will publish exfiltrated data on their Tor site if\r\nthe victims refuse to negotiate after three days, an apparent use of the double extortionnews- cybercrime-and-digital-threats technique. The ransomware gang did not clearly state the threat of publication of stolen data in the ransom note\r\ndropped in March 2022 (see Figure 3).\r\nhttps://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html\r\nPage 4 of 6\n\nFigure 3. Cuba ransomware’s ransom note retrieved from samples that we analyzed in March 2022\r\nAnother new feature of the latest ransom note is the addition of quTox, a means for technical support to the ransomware\r\nvictims to facilitate ransom payment negotiation.\r\nFigure 4. Cuba ransomware’s ransom note retrieved from samples analyzed in late April 2022, with mention\r\nof quTox as technical support to facilitate ransom payment negotiations\r\nWe are still investigating the latest set of samples and have yet to establish the entire infection chain for the new Cuba\r\nransomware variant. As mentioned, the indicators that were commonly seen in most of the recent infections were not\r\npresent in the latest samples we saw. Moreover, our detections of new samples in May suggest that Cuba ransomware’s\r\nattacks will persist in the coming months, possibly with more updates to the malware that are par for the course.\r\nRecommendations\r\nAs new malware variants emerge, a proactive cybersecurity stance is important to ensure that organizations are protected\r\nagainst modern ransomware threats. To defend systems against similar attacks, organizations can establish security\r\nframeworks that systematically allocate resources based on an enterprise’s needs. \r\nConsider following the security frameworks established by the Center of Internet Securityopen on a new tab and the\r\nNational Institute of Standards and Technologyopen on a new tab when developing your own cybersecurity strategies. The\r\nframeworks they created help security teams to mitigate risks and minimize exposure to threats. Implementing the best\r\npractices discussed in their respective frameworks can save organizations the time and effort when they customize their\r\nown. Their frameworks guide organizations through the whole process of planning while providing suggestions on\r\nmeasures that need to be established first.\r\nIndicators of Compromise (IOCs)\r\nhttps://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html\r\nPage 5 of 6\n\nSHA256 Trend Micro Detection\r\n89288de628b402621007c7ebb289233e7568307fb12a33aac7e834504c17b4af  Ransom.Win32.BACUCRYPT.YPCD2T\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html\r\nhttps://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html"
	],
	"report_names": [
		"cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775433977,
	"ts_updated_at": 1775791269,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b3284d6ad335915bc82a5cde072fcee552390d91.pdf",
		"text": "https://archive.orkl.eu/b3284d6ad335915bc82a5cde072fcee552390d91.txt",
		"img": "https://archive.orkl.eu/b3284d6ad335915bc82a5cde072fcee552390d91.jpg"
	}
}