How Cuba Ransomware Works
Introduction
The Cuba ransomware variant first appeared in mid-2020 and made the headlines recently due to its attack on the company known as American Funds Transfer Services (AFTS).
Utilizing an as-of-yet unknown infection vector, the malware comes (in some instances) signed with a digital certificate in order to attempt to appear more like a legitimate file.
Upon execution, Cuba enumerates the victim host and stops various SQL and Microsoft® Exchange related services as well as processes.
It then begins its encryption routine on targeted file types, appends a ‘.cuba’ extension to each affected file, and drops a ransom note titled ‘!!FAQ for Decryption!!.txt’ upon completion of encryption.
The ransom note contains instructions on how to contact the attacker via an email address, and also mentions that all of the victim’s databases, FTP servers and file servers have been uploaded to the attacker’s servers.
Operating System
Table 1: Impacted Operating System
Impact
The following describes the level of impact along with the likelihood of risk this threat currently presents:
Table 2: Threat Impact
Technical Analysis
Cuba ransomware is C++ compiled, Win32 executable. The sample analyzed by the BlackBerry Threat Research team for the technical analysis in this document did not contain any form of packing or obfuscation.
A static examination of the file reveals clues as to a lot of its functionality, such as what appears to be a ransom note and references to the RSA encryption algorithm:
Figure 1: Interesting Strings
Upon execution, Cuba proceeds to enumerate the victim host and search for a hardcoded list of processes and services related to SQL and Microsoft Exchange, which it aims to terminate should any be found running on the host:
Figure 2: List of Terminated Services and Processes
It then continues its execution and proceeds to enumerate all directories/files on the victim host, where each file parsed is compared to a hardcoded whitelist of file types it does NOT encrypt; should a file conform to one on the whitelist it is left alone, and enumeration continues to the next file within the directory with the check being performed again:
Figure 3: Whitelisted Extensions
Should a file not conform to a filetype that is on the whitelist, the malware begins its encryption routine, with the affected file being appended with a ‘.cuba’ file extension:
Figure 4: Encrypted Files
In addition, a ransom note titled ‘!!FAQ for Decryption!!.txt’ is dropped to each directory informing the victim that all of their databases, FTP servers and file servers have been downloaded by the attacker and giving instructions on how to contact the attacker via an email – ‘helpadmin2[at]protonmail[dot]com’ or ‘helpadmin2[at]c*ck[dot]li’:
Figure 5: Cuba Ransom Note
Upon further examination of an encrypted file, it can be seen to contain the string ‘FIDEL.CA’ embedded within its header and likely refers to Fidel Castro, which is another reference to Cuba.
Figure 6: FIDEL.CA Header
Yara Rule
The following Yara rule was authored by the BlackBerry Threat Research Team to catch the threat described in this document:
import "pe"
rule Mal_W32_Ransom_Cuba
{
meta:
description = "Cuba Ransomware"
author = "Blackberry Threat Research"
date = "2021-04-12"
strings:
//Good day. All your files are encrypted. For decryption contact us.
$x0 = {476f6f64206461792e20416c6c20796f75722066696c65732061726520656e637279707465642e20466f722064656372797074696f6e20636f6e746163742075732e}
//We also inform that your databases, ftp server and file server were downloaded by us to our servers.
$x1 = {576520616c736f20696e666f726d207468617420796f7572206461746162617365732c206674702073657276657220616e642066696c6520736572766572207765726520646f
776e6c6f6164656420627920757320746f206f757220736572766572732e}
//FIDEL.CA
$x2 = {464944454c2e4341}
//!!FAQ for Decryption!!.txt
$x3 = {21002100460041005100200066006f0072002000440065006300720079007000740069006f006e00210021002e00740078007400}
//MySQL80
$x4 = {4d007900530051004c0038003000}
//MSSQLSERVER
$x5 = {4d005300530051004c00530045005200560045005200}
//SQLWriter
$x6 = {530051004c00570072006900740065007200}
//SQLBrowser
$x7 = {530051004c00420072006f007700730065007200}
//sqlservr.exe
$x8 = {730071006c00730065007200760072002e00650078006500}
condition:
uint16(0) == 0x5A4D and
filesize < 3MB and
pe.imports("mpr.dll", "WnetEnumResourceW") and
pe.imports("mpr.dll", "WNetCloseEnum") and
pe.imports("mpr.dll", "WNetOpenEnumW") and
pe.imports("netapi32.dll", "NetShareEnum") and
8 of ($x*)
}
Indicators of Compromise (IoCs)
Files Created:
- !!FAQ for Decryption!!.txt ← Ransom-Note
- <filename>.cuba ← Appended File Extension
Attacker Emails:
- helpadmin2[at]protonmail[dot]com
- helpadmin2[at]cock[dot]li
Exempted File Types:
- .exe
- .dll
- .sys
- .ini
- .cuba
Exempted Folders:
- C:\Windows\
- C:\Program Files\Microsoft Office\
- C:\Program Files (x86)\Microsoft Office\
- C:\$Recycle.Bin\
- C:\Boot\
- C:\Recovery\
- C:\System Volume Information\
- C:\MSOCache\
- C:\Users\Default Users\
- C:\Users\Default\
- C:\INetCache\
- C:\Google\
- C:\Temp
Terminated Processes and Services:
Services:
MSExchangeUMCR
|
MSExchangePOP3BE
|
MSExchangeUM
|
MSExchangePop3
|
MSExchangeTransportLogSearch
|
MSExchangeNotificationsBroker
|
MSExchangeTransport
|
MSExchangeMailboxReplication
|
MSExchangeThrottling
|
MSExchangeMailboxAssistants
|
MSExchangeSubmission
|
MSExchangeIS
|
MSExchangeServiceHost
|
MSExchangeIMAP4BE
|
MSExchangeRPC
|
MSExchangeImap4
|
MSExchangeRepl
|
MSExchangeHMRecovery
|
MSExchangeDiagnostics
|
MSExchangeHM
|
MSExchangeDelivery
|
MSExchangeFrontEndTransport
|
MSExchangeDagMgmt
|
MSExchangeFastSearch
|
MSExchangeCompliance
|
MSExchangeEdgeSync
|
MSExchangeAntispamUpdate
|
MySQL80
|
SQLSERVERAGENT
|
SQLWriter
|
MSSQLSERVER
|
SQLTELEMETRY
|
SQLBrowser
|
vmcompute
|
vmms
|
|
Processes:
sqlagent.exe
|
sqlbrowser.exe
|
sqlservr.exe
|
outlook.exe
|
sqlwriter.exe
|
vmwp.exe
|
sqlceip.exe
|
vmsp.exe
|
msdtc.exe
|
|
BlackBerry Assistance
If you're battling this or a similar threat, you've come to the right place, regardless of your existing BlackBerry relationship.
The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.
We have a global consulting team standing by to assist you by providing around-the-clock support, where required, as well as local assistance. Please contact us here: https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment
About The BlackBerry Research & Intelligence Team
The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.