Kaspersky Research Finds Cuba Ransomware Group Spreading New Malware

Illustration of ransomware (photo: Pixabay)

JAKARTA - A new study from Kaspersky found that from the Cuba ransomware group recently spread malware that could evade further detection.

According to reports, the group is targeting organizations around the world, leaving a trail in a number of companies that have been compromised across various industries.

The Cuban ransomware group involvement was actually discovered in December 2022, where Kaspersky detected a suspicious incident on the client's system, revealing three doubtful files, leading to BUGHATCH.

BUGHATCH is a state-of-the-art backdoor applied in process memory. He executes a shell code block embedded in the memory space allocated to him using Windows API, which includes various functions.

Next, connect to the Command and Control (C2) server, waiting for further instructions. It can receive orders to download software such as Cobalt Strikebank and Metasploit.

Continuing its investigation, Kaspersky discovered new malware samples associated with the Cuban group in the Total Virus. Some of these samples managed to evade detection by other security vendors.

This sample represents a new version of the BURNTCIGAR malware, which uses encrypted data to evade antiviral detection.

"Our latest findings underscore the importance of access to recent reports and threat intelligence. When ransomware gangs like Cuba evolve and improve their tactics, staying ahead is essential to effectively mitigate potential attacks," said Gleb Ivanov, cybersecurity expert at Kaspersky.

Cuba is a type of single file ransomware, which is difficult to detect due to its operation without additional libraries. This Russian language group is known for its wide range and targets industries such as retail, finance, logistics, government, and manufacturing in North America, Europe, Oceania, and Asia.

The hallmark of their operations is changing the compilation time stamp to mislead investigators. Cuba's unique approach not only involves data encryption but also adjusts attacks to extract sensitive information data, such as financial documents, bank records, company accounts, and source code.