{
	"id": "0c32d3f7-c760-4376-864d-a3117211ef01",
	"created_at": "2026-04-06T00:16:35.038448Z",
	"updated_at": "2026-04-10T03:28:28.127396Z",
	"deleted_at": null,
	"sha1_hash": "e510e74de899238dc7e6d0240353c582396cfed3",
	"title": "CUBA Ransomware Malware Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 863013,
	"plain_text": "CUBA Ransomware Malware Analysis\r\nBy Salim Bitam\r\nPublished: 2023-02-14 · Archived: 2026-04-05 18:05:53 UTC\r\nSummary\r\nAs a part of Elastic Security’s ongoing threat detection and monitoring efforts, we have recently observed a\r\nransomware intrusion by the CUBA ransomware threat group, internally tracked as REF9019. This report will\r\ndetail the inner workings of the ransomware deployed inside the network to encrypt the victim’s files. Cuba\r\nransomware provides the attacker with the flexibility to encrypt both local and network shares files in the\r\nenterprise. CUBA uses the ChaCha20 cipher algorithm for symmetric encryption and RSA encryption to protect\r\nthe ChaCha20 keys. CUBA is multithreaded for faster encryption with resource access synchronization to avoid\r\nfile corruption.\r\nIn this analysis we will describe the following:\r\nOperations mode\r\nProcess and services termination\r\nEnumeration of volumes\r\nThreading implementation\r\nFile encryption and algorithms used\r\nMITRE Attack mapping\r\nYARA rule\r\nIndicators of compromise\r\nStatic Analysis\r\n| | | | --------------- | ---------------------------------------------------------------- | --- | | SHA256 Packed |\r\n0f385cc69a93abeaf84994e7887cb173e889d309a515b55b2205805bdfe468a3 | | SHA256 Unpacked |\r\n3654af86dc682e95c811e4fd87ea405b627bca81c656f3a520a4b24bf2de879f | | File Size | 135168 bytes | |\r\nFileType: | Executable | | Imphash: | CA5F4AF10ABC885182F3FB9ED425DE65 | | Compile Time | Wed Mar 09\r\n22:00:31 2022 | UTC | | Entropy | 6.582 |\r\nSections\r\nName VirtualAddress\r\nVirtual\r\nSize\r\nRaw\r\nSize\r\nEntropy MD5\r\n.text 0x00401000 0x13B5F 0x13C00 6.608 931B22064E9E214BF59A4E07A6CA9109\r\n.rdata 0x00415000 0xA71C 0xA800 5.855 F6F97411BCD64126A96B08BA9AE1E775\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-malware-analysis\r\nPage 1 of 16\n\n.data 0x00420000 0x16B0 0xC00 3.450 03B1B11B4531BB656E43A8B457D4A5F7\r\n.rsrc 0x00422000 0x1E0 0x200 4.704 F754ADBD7F5D6195FD6D527001CAB98C\r\n.reloc 0x00423000 0x1200 0x1200 6.573 08B0994DAECAAAA4173B388A80CC52FE\r\nFor information on the CUBA ransomware campaign and associated malware analysis, check out our\r\nblog posts detailing this:\r\nCUBA Campaign Analysis\r\nBUGHATCH Malware Analysis\r\nImports\r\nGetProcessImageFileNameW\r\nEnumProcesses\r\nNetApiBufferFree\r\nNetShareEnum\r\nGetIpNetTable\r\nPathFindFileNameW\r\nFindFirstFileExW\r\nFindFirstFileW\r\nFindNextFileW\r\nWriteFile\r\nSetFileAttributesW\r\nMoveFileExW\r\nFindFirstVolumeW\r\nTerminateProcess\r\nGetEnvironmentStringsW\r\nOpenProcess\r\nGetCurrentProcessId\r\nCreateProcessW\r\nGetVolumePathNamesForVolumeNameW\r\nFindNextVolumeW\r\nGetCurrentThreadId\r\nRaiseException\r\nGetModuleHandleExW\r\nOpenProcessToken\r\nCryptAcquireContextA\r\nCryptGenRandom\r\nCryptReleaseContext\r\nAdjustTokenPrivileges\r\nLookupPrivilegeValueA\r\nControlService\r\nChangeServiceConfigW\r\nPathAddBackslashW\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-malware-analysis\r\nPage 2 of 16\n\nGetCPInfo\r\nGetOEMCP\r\nIsValidCodePage\r\nlstrcpynW\r\nInterlockedDecrement\r\nFindClose\r\nCreateFileW\r\nSleep\r\nlstrcatW\r\nCloseHandle\r\nCreateThread\r\nlstrcpyW\r\nlstrcmpW\r\nReadFile\r\nGetFileSizeEx\r\nEnterCriticalSection\r\nGetCurrentProcess\r\nGetModuleFileNameW\r\nLeaveCriticalSection\r\nGetCommandLineA\r\nWaitForSingleObject\r\nGetLastError\r\nSetEvent\r\nGetDiskFreeSpaceExW\r\nResetEvent\r\nGetWindowsDirectoryW\r\nSetFilePointerEx\r\nExitProcess\r\nCreateEventA\r\nlstrcmpiW\r\nGetTickCount\r\nDeleteCriticalSection\r\nQueryPerformanceCounter\r\nSetStdHandle\r\nFreeEnvironmentStringsW\r\nGetCommandLineW\r\nDecodePointer\r\nGetStringTypeW\r\nGetProcessHeap\r\nFlushFileBuffers\r\nGetConsoleCP\r\nHeapSize\r\nWriteConsoleW\r\nInitializeCriticalSection\r\nUnhandledExceptionFilter\r\nSetUnhandledExceptionFilter\r\nIsProcessorFeaturePresent\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-malware-analysis\r\nPage 3 of 16\n\nInitializeCriticalSectionAndSpinCount\r\nWaitForSingleObjectEx\r\nCreateEventW\r\nGetModuleHandleW\r\nGetProcAddress\r\nIsDebuggerPresent\r\nGetStartupInfoW\r\nGetSystemTimeAsFileTime\r\nInitializeSListHead\r\nRtlUnwind\r\nSetLastError\r\nEncodePointer\r\nTlsAlloc\r\nTlsGetValue\r\nTlsSetValue\r\nTlsFree\r\nFreeLibrary\r\nLoadLibraryExW\r\nGetFileType\r\nGetStdHandle\r\nMultiByteToWideChar\r\nWideCharToMultiByte\r\nGetACP\r\nHeapFree\r\nHeapAlloc\r\nLCMapStringW\r\nHeapReAlloc\r\nGetConsoleMode\r\nCharLowerW\r\nGetKeyboardLayoutList\r\nwsprintfW\r\nCloseServiceHandle\r\nOpenSCManagerW\r\nOpenServiceW\r\nQueryServiceStatusEx\r\nStrings\r\nGood day. All your files are encrypted. For decryption contact us.\r\nWrite here waterstatus@cock.li\r\nreserve admin@encryption-support.com\r\njabber cuba_support@exploit.im\r\nWe also inform that your databases, ftp server and file server were downloaded by us to our servers.\r\nIf we do not receive a message from you within three days, we regard this as a refusal to negotiate.\r\nCheck our platform: http://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion/\r\n* Do not rename encrypted files.\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-malware-analysis\r\nPage 4 of 16\n\n* Do not try to decrypt your data using third party software,\r\n it may cause permanent data loss.\r\n* Do not stop process of encryption, because partial encryption cannot be decrypted.\r\n!! READ ME !!.txt\r\nCode Analysis\r\nEntry Point\r\nThe malware starts by retrieving the active input locale identifier of the victim using the GetKeyboardLayout API.\r\nWhen the Russian language is in the list of supported languages of the machine, the process deletes and terminates\r\nitself with a simple command line: c:\\system32\\cmd.exe c/ del PATH_TO_BINARY without encrypting the file\r\nsystem.\r\nCommand-line Options\r\nThe threat actor included 4 different operations based on the following command-line arguments:\r\nThe network keyword\r\nAn IP keyword\r\nA path keyword\r\nThe local keyword\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-malware-analysis\r\nPage 5 of 16\n\nNetwork keyword parameter\r\nWhen specifying the network keyword, the malware retrieves the Address Resolution Protocol (ARP) table of the\r\nmachine using the GetIpNetTable Windows API and enumerates the shares of each IP in the ARP table, this\r\ninformation is added to a linked list that will be accessed by the encryption capability, which will be discussed\r\nfurther below in detail.\r\nIP keyword parameter\r\nBy specifying an IP address as the first parameter in the command line the malware proceeds by enumerating and\r\nencrypting every share found for the specified IP.\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-malware-analysis\r\nPage 6 of 16\n\nPath keyword parameter\r\nThe malware will encrypt the local directory contents, or the file provided, as the first parameter of the command-line.\r\nLocal keyword parameter\r\nThe local keyword is used to encrypt every local volume on the machine, and because the malware targets\r\nvolumes by their ID, it can encrypt both mounted and unmounted volumes.\r\nProcess Termination\r\nCUBA starts by acquiring SeDebugPrivilege and then terminates a hardcoded list of processes and services using\r\na common Windows API (see appendix for list [1], [2]). For some services, the malware first tries to disable the\r\nservice– indicated by the second parameter of TerminateProcesses::TerminateServiceByName function. This is\r\nmainly done to prevent interference with the encryption process by applications that may lock files from external\r\nchanges, for example, databases.\r\nLocal Volume Enumeration\r\nThe malware enumerates all the local volumes and for each volume larger than 1GB it saves the volume’s GUID\r\nin a custom linked list. The ransomware utilizes the CriticalSection object to access this linked list for\r\nsynchronization purposes due to multiple threads accessing the same resource. This helps to avoid two threads\r\nencrypting the same file at the same time, a race condition that would corrupt the file.\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-malware-analysis\r\nPage 7 of 16\n\nMultithreaded Encryption Synchronization\r\nAfter preparing a list to encrypt, CUBA ransomware spawns encryption threads with the structure defined below\r\nas a parameter. Depending on the command line arguments, the malware starts 4 threads for local encryption or 8\r\nthreads for network encryption.\r\nWhen a thread finishes its task, it will decrement a counter until it reaches 0: lpParameter-\r\n\\\u003eNumberOfThreadRunning. When the last thread completes, it will alert the program that the task is done with a\r\ncall to SetEvent API, which will self delete and terminate the malware.\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-malware-analysis\r\nPage 8 of 16\n\nEncryption Implementation\r\nThe malware leverages the symmetric encryption algorithm ChaCha20 to encrypt files and the asymmetric\r\nencryption algorithm RSA to protect the ChaCha20 Key and Initialization Vector (IV). The author has utilized a\r\ncustomized version of WolfSSL, an open source SSL/TLS library, to implement this capability. Other samples\r\n(2957226fc315f71dc22f862065fe376efab9c21d61bbc374dde34d47cde85658) implemented a similar function\r\nusing the libtomcrypt library. Other implementations may exist that are not described here.\r\nThe ransomware allocates a large custom structure called block that contains all the required encryption\r\ninformation. It then initializes an RsaKey structure with wc_InitRsaKey and decodes an embedded 4096 bit RSA\r\npublic key in DER format using wc_RsaPublicKeyDecode which it saves to block.PubRsaKey.\r\nFile Enumeration\r\nEach thread takes an entry from the linked list and starts recursively enumerating files starting from the root of the\r\nvolume. In the case of a specific directory, the same function is called recursively except for specific directories\r\n(see appendix for list). Otherwise, it will ignore the ransom note file !! READ ME !!.txt and files with specific\r\nextensions (see appendix for list).\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-malware-analysis\r\nPage 9 of 16\n\nThe malware uses wc_RNG_GenerateBlock a WolfSSL function, to randomly generate 44 bytes. The first 32\r\nbytes of that are used as the ChaCha20 key and the other 12 bytes are used as the IV, it then calls a function to\r\ninitiate the ChaCha20 structure block.chacha20_KeyIv that will be later used to encrypt the file content. At this\r\npoint, the ransomware is ready to start encrypting and writing to the file.\r\nBefore encrypting a file, Cuba ransomware prepends a 1024 byte header, the first 256 bytes are the string\r\nFIDEL.CA and some DWORD bytes values, the next 512 bytes are the encrypted ChaCha20 KEY/IV with the\r\npublic RSA key and the rest is padded with 0.\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-malware-analysis\r\nPage 10 of 16\n\nBefore starting the encryption, the malware double checks if the file was already encrypted by comparing the first\r\n8 bytes of the file to the header string FIDEL.CA. If equal, the malware terminates the encryption process as\r\ndescribed below.\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-malware-analysis\r\nPage 11 of 16\n\nThen CUBA writes the 1024 byte header and if the file is larger than 2 MB it reads 1 MB of data at a time from\r\nthe file and encrypts it with the ChaCha20 cipher. Otherwise, it will read and encrypt the entire contents at once.\r\nThe malware encrypts the file in 1 MB chunks and, depending on the file’s size, it will skip a preset number of\r\nbytes. This is done primarily to speed up the encryption process of large files, below is a table to illustrate.\r\nFile Size Chunk Size Skipped Size\r\nLess than 2 MB All the file content 0 MB\r\nLess than 10 MB 1MB 4 MB\r\nLess than 50 MB 1MB 8 MB\r\nLess than 200 MB 1MB 16 MB\r\nLess than 10 GB 1MB 200 MB\r\nMore than 10 GB 1MB 500 MB\r\nFinally, it will rename the file by adding the extension .cuba.\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-malware-analysis\r\nPage 12 of 16\n\nMITRE ATT\u0026CK Techniques\r\nUsing the MITRE ATT\u0026CK® framework, techniques and sub techniques represent how an adversary achieves a\r\ntactical goal by performing an action.\r\nData Encrypted for Impact\r\nNetwork Share Discovery\r\nProcess Discovery\r\nService Stop\r\nSystem Information Discovery\r\nIndicator Removal on Host: File Deletion\r\nObfuscated Files or Information: Software Packing\r\nSystem Network Configuration Discovery\r\nSystem Location Discovery: System Language Discovery\r\nData Encrypted for Impact\r\nAccess Token Manipulation\r\nAppendix\r\nList of Terminated Processes\r\nsqlagent.exe\r\nsqlservr.exe\r\nsqlwriter.exe\r\nsqlceip.exe\r\nmsdtc.exe\r\nsqlbrowser.exe\r\nvmwp.exe\r\nvmsp.exe\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-malware-analysis\r\nPage 13 of 16\n\noutlook.exe\r\nMicrosoft.Exchange.Store.Worker.exe\r\nList of Terminated Services\r\nMySQL\r\nMySQL80\r\nSQLSERVERAGENT\r\nMSSQLSERVER\r\nSQLWriter\r\nSQLTELEMETRY\r\nMSDTC\r\nSQLBrowser\r\nvmcompute\r\nvmms\r\nMSExchangeUMCR\r\nMSExchangeUM\r\nMSExchangeTransportLogSearch\r\nMSExchangeTransport\r\nMSExchangeThrottling\r\nMSExchangeSubmission\r\nMSExchangeServiceHost\r\nMSExchangeRPC\r\nMSExchangeRepl\r\nMSExchangePOP3BE\r\nMSExchangePop3\r\nMSExchangeNotificationsBroker\r\nMSExchangeMailboxReplication\r\nMSExchangeMailboxAssistants\r\nMSExchangeIS\r\nMSExchangeIMAP4BE\r\nMSExchangeImap4\r\nMSExchangeHMRecovery\r\nMSExchangeHM\r\nMSExchangeFrontEndTransport\r\nMSExchangeFastSearch\r\nMSExchangeEdgeSync\r\nMSExchangeDiagnostics\r\nMSExchangeDelivery\r\nMSExchangeDagMgmt\r\nMSExchangeCompliance\r\nMSExchangeAntispamUpdate\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-malware-analysis\r\nPage 14 of 16\n\nExcluded Directories\r\n\\windows\\\r\n\\program files\\microsoft office\\\r\n\\program files (x86)\\microsoft office\\\r\n\\program files\\avs\\\r\n\\program files (x86)\\avs\\\r\n$recycle.bin\\\r\n\\boot\\\r\n\\recovery\\\r\n\\system volume information\\\r\n\\msocache\\\r\n\\users\\all users\\\r\n\\users\\default user\\\r\n\\users\\default\\\r\n\\temp\\\r\n\\inetcache\\\r\n\\google\\\r\nExcluded File Extensions\r\n.exe\r\n.dll\r\n.sys\r\n.ini\r\n.lnk\r\n.vbm\r\n.cuba\r\nYARA Rule\r\nElastic Security has created YARA rules to identify CUBA ransomware activity.\r\nrule Windows_Ransomware_Cuba {\r\n meta:\r\n os = \"Windows\"\r\n arch = \"x86\"\r\n category_type = \"Ransomware\"\r\n family = \"Cuba\"\r\n threat_name = \"Windows.Ransomware.Cuba\"\r\n Reference_sample = \"33352a38454cfc247bc7465bf177f5f97d7fd0bd220103d4422c8ec45b4d3d0e\"\r\n strings:\r\n $a1 = { 45 EC 8B F9 8B 45 14 89 45 F0 8D 45 E4 50 8D 45 F8 66 0F 13 }\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-malware-analysis\r\nPage 15 of 16\n\n$a2 = { 8B 06 81 38 46 49 44 45 75 ?? 81 78 04 4C 2E 43 41 74 }\r\n $b1 = \"We also inform that your databases, ftp server and file server were downloaded by us to our serv\r\n $b2 = \"Good day. All your files are encrypted. For decryption contact us.\" ascii fullword\r\n $b3 = \".cuba\" wide fullword\r\n condition:\r\n any of ($a*) or all of ($b*)\r\n}\r\nObservations\r\nAtomic indicators observed in our investigation.\r\nIndicator Type Note\r\n32beefe2c5e28e87357813c0ef91f47b631a3dff4a6235256aa123fc77564346 SHA256\r\nCUBA\r\nRansomware\r\n0f385cc69a93abeaf84994e7887cb173e889d309a515b55b2205805bdfe468a3 SHA256\r\nCUBA\r\nRansomware\r\nbcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4 SHA256\r\nCUBA\r\nRansomware\r\nArtifacts\r\nArtifacts are also available for download in both ECS and STIX format in a combined zip bundle.\r\nSource: https://www.elastic.co/security-labs/cuba-ransomware-malware-analysis\r\nhttps://www.elastic.co/security-labs/cuba-ransomware-malware-analysis\r\nPage 16 of 16\n\nReference_sample strings:  = \"33352a38454cfc247bc7465bf177f5f97d7fd0bd220103d4422c8ec45b4d3d0e\"  \n$a1 = { 45 EC 8B F9 8B 45 14 89 45 F0 8D 45 E4 50 8D 45 F8 66 0F 13 }\n   Page 15 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.elastic.co/security-labs/cuba-ransomware-malware-analysis"
	],
	"report_names": [
		"cuba-ransomware-malware-analysis"
	],
	"threat_actors": [
		{
			"id": "4f56bb34-098d-43f6-a0e8-99616116c3ea",
			"created_at": "2024-06-19T02:03:08.048835Z",
			"updated_at": "2026-04-10T02:00:03.870819Z",
			"deleted_at": null,
			"main_name": "GOLD FLAMINGO",
			"aliases": [
				"REF9019 ",
				"Tropical Scorpius ",
				"UAC-0132 ",
				"UAC0132 ",
				"UNC2596 ",
				"Void Rabisu "
			],
			"source_name": "Secureworks:GOLD FLAMINGO",
			"tools": [
				"Chanitor",
				"Cobalt Strike",
				"Cuba",
				"Meterpreter",
				"Mimikatz",
				"ROMCOM RAT"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434595,
	"ts_updated_at": 1775791708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e510e74de899238dc7e6d0240353c582396cfed3.pdf",
		"text": "https://archive.orkl.eu/e510e74de899238dc7e6d0240353c582396cfed3.txt",
		"img": "https://archive.orkl.eu/e510e74de899238dc7e6d0240353c582396cfed3.jpg"
	}
}