What’s new in April Variant of Cuba Ransomware
The Cuba ransomware family has got itself a new specimen. The new version of Cuba revealed itself in late April 2022 and was involved in the attack on two companies in Asia. Although the alterations in comparison to previous versions cannot be called crucial, some of them are worth mentioning.
The malware gets injected via the BUGHATCH downloader, which works in connection with its command and control center. The latter sends code (PowerShell scripts and portable executables to be run on the attacked computer. The downloader itself gets onto the compromised device via a link to a PowerShell script or a dropper Trojan, also written in Power Shell.
April Cuba variant has undergone some changes in terms of commands. Thus, “local” and “network” are the only two remaining commands that relate to directories and locations.
The list of services and processes that ransomware terminates upon arrival has been somewhat extended and now comprises 47 items, mostly ensuring Microsoft Exchange and SQL-related services are cut-off.
The exclusion list of folders for the malware not to harm is also extended to 16 directories with the Google folder protected alongside expected Windows and Program Files ones. The extensions safe-listed from encryption are: .exe, .dll, .sys, .ini, .lnk, .vbm, and, understandably, .cuba.
Two-level extortion
The new Cuba is very caring when it eventually comes to racketeering. This time it’s a double-extortion scheme. If the victim does not contact the criminals in three days, the hackers threaten to expose the extracted data from the targeted machine.
Such threats are not bluff, unfortunately. It happened before to CD Project game development company as unfinished materials of Cyberpunk 2077 game were published on the web as a result of a double-layer ransomware attack in February 2021.
Malefactors also give thorough facilitation to those ready to cooperate. To make communication easier they have a quTox account.