Skip Navigation
BlackBerry Blog
  1. BlackBerry Blog
  2. How Cuba Ransomware Works

How Cuba Ransomware Works

BLACKBERRY PROTECT / 04.22.21 / The BlackBerry Research & Intelligence Team

Introduction

The Cuba ransomware variant first appeared in mid-2020 and made the headlines recently due to its attack on the company known as American Funds Transfer Services (AFTS).

Utilizing an as-of-yet unknown infection vector, the malware comes (in some instances) signed with a digital certificate in order to attempt to appear more like a legitimate file.

Upon execution, Cuba enumerates the victim host and stops various SQL and Microsoft® Exchange related services as well as processes.

It then begins its encryption routine on targeted file types, appends a ‘.cuba’  extension to each affected file, and drops a ransom note titled ‘!!FAQ for Decryption!!.txt’ upon completion of encryption.

The ransom note contains instructions on how to contact the attacker via an email address, and also mentions that all of the victim’s databases, FTP servers and file servers have been uploaded to the attacker’s servers.

Operating System

Table 1: Impacted Operating System

Impact

The following describes the level of impact along with the likelihood of risk this threat currently presents:

Table 2: Threat Impact

Technical Analysis

Cuba ransomware is C++ compiled, Win32 executable. The sample analyzed by the BlackBerry Threat Research team for the technical analysis in this document did not contain any form of packing or obfuscation.

A static examination of the file reveals clues as to a lot of its functionality, such as what appears to be a ransom note and references to the RSA encryption algorithm:

Figure 1: Interesting Strings

Upon execution, Cuba proceeds to enumerate the victim host and search for a hardcoded list of processes and services related to SQL and Microsoft Exchange, which it aims to terminate should any be found running on the host:

Figure 2: List of Terminated Services and P­­­rocesses

It then continues its execution and proceeds to enumerate all directories/files on the victim host, where each file parsed is compared to a hardcoded whitelist of file types it does NOT encrypt; should a file conform to one on the whitelist it is left alone, and enumeration continues to the next file within the directory with the check being performed again:  

Figure 3: Whitelisted Extensions

Should a file not conform to a filetype that is on the whitelist, the malware begins its encryption routine, with the affected file being appended with a ‘.cuba’ file extension:

Figure 4: Encrypted Files

In addition, a ransom note titled ‘!!FAQ for Decryption!!.txt’ is dropped to each directory informing the victim that all of their databases, FTP servers and file servers have been downloaded by the attacker and giving instructions on how to contact the attacker via an email – ‘helpadmin2[at]protonmail[dot]com’ or ‘helpadmin2[at]c*ck[dot]li’:

Figure 5: Cuba Ransom Note

Upon further examination of an encrypted file, it can be seen to contain the string ‘FIDEL.CA’ embedded within its header and likely refers to Fidel Castro, which is another reference to Cuba.

Figure 6: FIDEL.CA Header

Yara Rule

The following Yara rule was authored by the BlackBerry Threat Research Team to catch the threat described in this document:

import "pe"

rule Mal_W32_Ransom_Cuba
{
    meta:
        description = "Cuba Ransomware"
        author = "Blackberry Threat Research"
        date = "2021-04-12"

    strings:

        //Good day. All your files are encrypted. For decryption contact us.  
        $x0 = {476f6f64206461792e20416c6c20796f75722066696c65732061726520656e637279707465642e20466f722064656372797074696f6e20636f6e746163742075732e}
        //We also inform that your databases, ftp server and file server were downloaded by us to our servers.  
        $x1 = {576520616c736f20696e666f726d207468617420796f7572206461746162617365732c206674702073657276657220616e642066696c6520736572766572207765726520646f
776e6c6f6164656420627920757320746f206f757220736572766572732e}
        //FIDEL.CA  
        $x2 = {464944454c2e4341}
        //!!FAQ for Decryption!!.txt  
        $x3 = {21002100460041005100200066006f0072002000440065006300720079007000740069006f006e00210021002e00740078007400}
        //MySQL80
        $x4 = {4d007900530051004c0038003000}
        //MSSQLSERVER  
        $x5 = {4d005300530051004c00530045005200560045005200}
        //SQLWriter 
        $x6 = {530051004c00570072006900740065007200}
        //SQLBrowser
        $x7 = {530051004c00420072006f007700730065007200}
        //sqlservr.exe
        $x8 = {730071006c00730065007200760072002e00650078006500}

    condition:
        uint16(0) == 0x5A4D and
        filesize < 3MB and
        pe.imports("mpr.dll", "WnetEnumResourceW") and
        pe.imports("mpr.dll", "WNetCloseEnum") and
        pe.imports("mpr.dll", "WNetOpenEnumW") and
        pe.imports("netapi32.dll", "NetShareEnum") and

    8 of ($x*)
}


Indicators of Compromise (IoCs)

Files Created:

  • !!FAQ for Decryption!!.txt ← Ransom-Note
  • <filename>.cuba ← Appended File Extension

Attacker Emails:

  • helpadmin2[at]protonmail[dot]com
  • helpadmin2[at]cock[dot]li

Exempted File Types:

  • .exe
  • .dll
  • .sys
  • .ini
  • .cuba

Exempted Folders:

  • C:\Windows\
  • C:\Program Files\Microsoft Office\
  • C:\Program Files (x86)\Microsoft Office\
  • C:\$Recycle.Bin\
  • C:\Boot\
  • C:\Recovery\
  • C:\System Volume Information\
  • C:\MSOCache\
  • C:\Users\Default Users\
  • C:\Users\Default\
  • C:\INetCache\
  • C:\Google\
  • C:\Temp

Terminated Processes and Services:

Services:

MSExchangeUMCR

MSExchangePOP3BE

MSExchangeUM

MSExchangePop3

MSExchangeTransportLogSearch

MSExchangeNotificationsBroker

MSExchangeTransport

MSExchangeMailboxReplication

MSExchangeThrottling

MSExchangeMailboxAssistants

MSExchangeSubmission

MSExchangeIS

MSExchangeServiceHost

MSExchangeIMAP4BE

MSExchangeRPC

MSExchangeImap4

MSExchangeRepl

MSExchangeHMRecovery

MSExchangeDiagnostics

MSExchangeHM

MSExchangeDelivery

MSExchangeFrontEndTransport

MSExchangeDagMgmt

MSExchangeFastSearch

MSExchangeCompliance

MSExchangeEdgeSync

MSExchangeAntispamUpdate

MySQL80

SQLSERVERAGENT

SQLWriter

MSSQLSERVER

SQLTELEMETRY

SQLBrowser

vmcompute

vmms

 


Processes:

sqlagent.exe

sqlbrowser.exe

sqlservr.exe

outlook.exe

sqlwriter.exe

vmwp.exe

sqlceip.exe

vmsp.exe

msdtc.exe

  

 

BlackBerry Assistance

If you're battling this or a similar threat, you've come to the right place, regardless of your existing BlackBerry relationship.

The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.

We have a global consulting team standing by to assist you by providing around-the-clock support, where required, as well as local assistance. Please contact us here: https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment

The BlackBerry Research & Intelligence Team

About The BlackBerry Research & Intelligence Team

The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.

Back