The Cuba ransomware group has compromised 48 U.S. critical infrastructure organizations in the financial, government, healthcare, manufacturing and information technology industries and cashed out with at least $43.9 million in payments, according to a recent FBI flash alert.
To know what to look for, it’s important to understand the methods that the Cuba variant uses to compromise victim systems and respond early enough to stop an attack in progress.
How To Detect Initial Compromise
- Phishing emails – Threat actors send these types of emails to trick users into clicking on malicious links or opening malicious attachments.
- Stolen credentials – Attackers leverage the Windows program Mimikatz to steal passwords, hashes, PINs and more from memory to escalate privileges. Most security incident and event management (SIEM) platforms can detect the presence of Mimikatz on a network.
- Microsoft Exchange vulnerabilities – The Cuba ransomware group uses several vulnerabilities affecting Exchange servers in targeted attacks in the wild. Microsoft has released security updates for them and recommends patching immediately to protect your environment. Learn how Blumira helped a customer evade a real-life Exchange attack.
- Remote Desktop Protocol (RDP) – Commonly used for remote access to Windows machines, RDP is a top attack vector if left open to connections from the public internet. Attackers brute-force or steal RDP credentials to gain initial access to systems. If you need to use RDP, make sure that you adhere to best practices to secure RDP, like ensuring that its traffic flows through a VPN connection protected by multi-factor authentication.
Detect Attacker Communications & Ransomware Distribution
After gaining initial access using any number of methods listed above, the threat actors will then use certain tools and techniques to communicate to their command and control servers, as well as distribute malicious software, including:
- Cobalt Strike Beacon – Cuba ransomware will install and execute a Cobalt Strike Beacon as a service on a victim’s network via PowerShell. Cobalt Strike Beacon sends and receives encrypted commands to a command and control (also known as C2 or C&C) server controlled by the attacker, which can include instructions to download malware. This is part of a post-exploitation framework intended for use by penetration testers, but also abused by criminals.
- PowerShell, PsExec – Threat actors will use legitimate Windows services and administrative privileges to deploy ransomware payloads remotely and encrypt their victims’ files using the .cuba extension, according to the FBI alert. PowerShell is a Windows command-line interface and scripting environment used to automate management tasks. But threat actors also abuse PowerShell to execute code and discover information in your Windows environment. These types of attacks are harder to detect since they use built-in administrative tools to accomplish the end goal. Learn more about Blumira’s latest PowerShell detections.
Automate Attacker Detection For Faster Response
As we get closer to the holidays, it’s important to note that ransomware actors often strike during company off-times, such as weekends and holidays. Keeping vigilant during these times can be made easier by automating your threat hunting so you can detect indicators of an attack outside of typical working human hours.
Monitoring your environment for signs of this type of activity can be time-consuming and difficult for small IT teams, operating without an in-house security operations center (SOC). As a SOC alternative, Blumira’s platform is designed to automatically identify attacker behaviors (including all of the methods listed above), then notify you and provide playbooks to respond to these indicators of a potential attack in progress. For urgent priority issues, Blumira’s responsive and experienced security operations team is on standby 24/7 to guide you through incident response procedures.