Parsing: enabled
Known RaaS
Description
Cuba ransomware, active since at least 2019, is a financially motivated threat group operating a double-extortion scheme—encrypting files and exfiltrating data to pressure victims. It has targeted government agencies, healthcare providers, critical infrastructure, financial institutions, and manufacturing firms, primarily in the United States, Canada, and Europe. Distribution often involves the Hancitor (Chanitor) malware loader, phishing campaigns, and exploitation of vulnerabilities in public-facing services such as Microsoft Exchange. Cuba employs RSA and AES encryption, typically appending the .cuba extension to affected files, and drops ransom notes instructing victims to contact the attackers via Tor-based portals. In December 2021, the FBI reported that Cuba ransomware operators had compromised at least 49 entities in U.S. critical infrastructure sectors, stealing data and demanding multimillion-dollar ransoms.
External Analysis20
| External Analysis |
|---|
| https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf |
| https://digital.nhs.uk/cyber-alerts/2021/cc-3855 |
| https://blog.group-ib.com/hancitor-cuba-ransomware |
| https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 |
| https://id-ransomware.blogspot.com/2019/12/cuba-ransomware.html |
| https://lab52.io/blog/cuba-ransomware-analysis/ |
| https://shared-public-reports.s3-eu-west-1.amazonaws.com/Cuba+Ransomware+Group+-+on+a+roll.pdf |
| https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/ |
| https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ |
| https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/ |
| https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis |
| https://www.elastic.co/security-labs/cuba-ransomware-malware-analysis |
| https://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more |
| https://www.guidepointsecurity.com/blog/using-hindsight-to-close-a-cuba-cold-case/ |
| https://www.ic3.gov/Media/News/2021/211203-2.pdf |
| https://www.it-connect.fr/le-ransomware-cuba-sen-prend-aux-serveurs-exchange/ |
| https://www.mandiant.com/resources/unc2596-cuba-ransomware |
| https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-threat-report-a-quick-primer-on-cuba-ransomware |
| https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf |
| https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html |
Ransom notes1
Tox1
| Tox |
|---|
| 37790E2D198DFD20C9D2887D4EF7C3E2951BB84248D192689B64DCCA3C8BD808A1895676B271 |
Urls2
| Url | ||||
|---|---|---|---|---|
| http://cuba4mp6ximo2zlo.onion | Down |
|
||
| http://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion/ | Down |
|
File servers2
| Url | ||||
|---|---|---|---|---|
| http://i34gbmo5rxx3bxc4yl7f4erkyo2oldwavhpdragnjjvhni6fwvptp2id.onion | Down | |||
| https://kcfgfs7cclscxloy3bf2xtwnayimawtzrbfirfbvl47xt7n2brfiizyd.onion/ | Down |
Activity (interactive) 105
Posts105
| Date | Title | Description | Screen |
|---|---|---|---|
| dms-imaging |
|
||
| deknudtframes.be |
|
||
| diagnostechs |
|
||
| portadelaidefc |
|
||
| panaya |
|
||
| prime-art |
|
||
| Newconcepttech |
|
||
| mountstmarys |
|
||
| co.rock.wi.us |
|
||
| goldmedalbakery |
|
||
| hydrex.co.uk |
|
||
| txmplant.co.uk |
|
||
| gis4.addison-il |
|
||
| Inquirer | |||
| Vdi |
|
||
| 2networkit |
|
||
| Sae-a |
|
||
| pu.edu.lb |
|
||
| Gihealthcare |
|
||
| cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion |
|
||
| learning_resources |
|
||
| usairports |
|
||
| first_coast_logistics_services |
|
||
| e.h._wachs_pipe_cutters |
|
||
| datamatics |
|
||
| the_rose_executive_team |
|
||
| afts |
|
||
| otrcapital |
|
||
| forefront_dermatology |
|
||
| innovairre |
|
||
| megaforce |
|
||
| gascaribe |
|
||
| quercus |
|
||
| blackhawk |
|
||
| lycra |
|
||
| technicote |
|
||
| berding-weil |
|
||
| nwdusa |
|
||
| creditriskmonitor |
|
||
| linkmfg |
|
||
| axley |
|
||
| schultheis-ins |
|
||
| meriplex |
|
||
| ohagin |
|
||
| landofrost |
|
||
| ncmutuallife2 |
|
||
| get-integrated |
|
||
| trant.co.uk |
|
||
| bcintlgroup.com |
|
||
| stm.com.tw |
|
||
| site-technology_ |
|
||
| Skupstina |
|
||
| Ginspectionservices |
|
||
| Murphyfamilyventures |
|
||
| Ville-chaville |
|
||
| Dialogsas |
|
||
| bfw |
|
||
| waltersandwolf |
|
||
| Patton |
|
||
| Boss-inc |
|
||
| Landaumedia |
|
||
| Generator-power |
|
||
| company | |||
| ginspectionservices | |||
| skupstina | |||
| site-technology | |||
| stm-com-tw | |||
| r1group |
|
||
| etron |
|
||
| upskwt |
|
||
| fronteousa | |||
| prophoenix |
|
||
| metrobrokers |
|
||
| tavistock | |||
| metagenics |
|
||
| trant-co-uk | |||
| bcintlgroup-com | |||
| haltonhills | |||
| powertech |
|
||
| ids97 | |||
| muntons |
|
||
| heritage-encon | |||
| cmmcpas |
|
||
| shoesforcrews |
|
||
| edgo |
|
||
| mtlcraft |
|
||
| superfund |
|
||
| fdcbuilding |
|
||
| cle |
|
||
| strongwell |
|
||
| sonomatic-2 | |||
| regulvar |
|
||
| delinebox |
|
||
| squamish |
|
||
| bakertilly |
|
||
| sonomatic |
|
||
| atlasdie |
|
||
| ncmutuallife |
|
||
| lahebert |
|
||
| The Squamish Nation is comprised of descendants of the Coast Salish Aboriginal peoples who | |||
| First Coast Logistics Services, Inc. was founded in 1999. The Company's line of business i | |||
| Datamatics is a technology company that builds intelligent solutions enabling data-driven | |||
| Rose Associates Mission Statement | |||
| AFTS supplies the preeminent Payment Processing, IRS 1031 Exchange, Data Processing, Invoi | |||
| OTR Capital believes in simple and straightforward transactions, without hidden costs and |