Cybersecurity News

FBI Warns Healthcare of Cuba Ransomware in Latest Flash Alert

Cuba ransomware actors have compromised 49 entities in five critical infrastructure sectors including healthcare, a new FBI flash alert warned.

FBI Warns Healthcare of Cuba Ransomware in Latest Flash Alert

Source: Getty Images

By Jill McKeon

- The FBI issued a flash alert warning organizations about Cuba ransomware actors, who have compromised at least 49 entities across five critical infrastructure sectors, including healthcare. Cuba ransomware actors have already demanded at least $74 million and received at least $43.9 million in ransom payments.

Cuba ransomware has been active since November 2021 and is distributed through Hancitor malware, a loader that helps threat actors drop Remote Access Trojans (RATs) and other types of ransomware on its victims’ networks.

Cuba ransomware actors have deployed ransomware attacks on organizations in the healthcare, government, financial, manufacturing, and information technology sectors in a short period of time.

Hancitor malware actors typically use Microsoft Exchange vulnerabilities, compromised credentials, phishing emails, or legitimate Remote Desktop Protocol (RDP) tools to gain access to networks. Next, Cuba ransomware actors use Windows services such as PowerShell and PsExec to execute ransomware attacks remotely.

Once inside the network, Cuba ransomware actors install and execute a Cobalt Strike beacon on the victim’s network. The Health Sector Cybersecurity Coordination Center (HC3) recently issued a brief warning to the healthcare sector of the threat of Cobalt Strike, which is a remote access tool originally created to defend against cyberattacks.

The ransomware actors are also known to use MimiKatz malware to steal credentials and use RDP to log into the compromised network host.

The flash alert reiterated that the FBI advises against paying ransoms since it does not guarantee that any files will be recovered.

“It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities,” the flash alert stated.

“However, the FBI understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees and customers.”

The FBI recommended that organizations mitigate risk by requiring all accounts with password logins to have strong, unique passwords. In addition, organizations should require multi-factor authentication, keep all operating systems up to date, remove unnecessary access to administrative shares, and use a host-based firewall.

In order to prevent Cuba ransomware actors from learning the organization’s enterprise environment through system visibility and mapping, the FBI suggested that organizations implement network segmentation and time-based access for accounts set at the admin level and higher.

In addition, potential victims should use a networking monitoring tool to aid in ransomware detection and investigate any abnormal activity. It is also crucial that organizations maintain offline data backups, ensure that all backup data is properly encrypted, and disable command-line and scripting activities and permissions.

In November, the FBI along with the Cybersecurity and Infrastructure Security Agency (CISA) and international agencies released an advisory warning the healthcare and transportation sectors about an Iranian government-sponsored advanced persistent threat (APT) group.

Like Cuba ransomware, the group has been exploiting Microsoft Exchange vulnerabilities to orchestrate sophisticated ransomware attacks.