SlideShare a Scribd company logo

Surat peringatan kilat kepada Kelompok Ransomware Kuba

•
•
System 021
System 021

Surat peringatan kilat kepada Kelompok Ransomware Kuba Mengenai Bug Microsoft Exchange Diretas olehnya pada bulan Desember 2021 Sumber : https://www.system021.my.id/2022/02/bug-microsoft-exchange-diretas-oleh-grup-ransomware-kuba.html

Technology
1 of 8
Download to read offline
FLASH Number The following information is being provided by the FBI, with no guarantees or warranties, for potential use at the sole discretion of recipients to protect against cyber threats. This data is provided in order to help cyber security professionals and system administrators to guard against the persistent malicious actions of cyber actors. This FLASH was coordinated with DHS/CISA. This FLASH has been released TLP:WHITE WE NEED YOUR HELP! If you identify any suspicious activity within your enterprise or have related information, please contact your local FBI Cyber Squad immediately with respect to the procedures outlined in the Reporting Notice section of this message. *Note: By reporting any related information to FBI Cyber Squads, you are assisting in sharing information that allows the FBI to track malicious actors and coordinate with private industry and the United States Government to prevent future intrusions and attacks. TLP:WHITE TLP:WHITE 02 Dec 2021 CU-000156-MW Indicators of Compromise Associated with Cuba Ransomware Summary The FBI has identified, as of early November 2021 that Cuba ransomware actors have compromised at least 49 entities in five critical infrastructure sectors, including but not limited to the financial, government, healthcare, manufacturing, and information technology sectors. Cuba ransomware is distributed through Hancitor malware, a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims’ networks. Hancitor malware actors use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim’s network. Subsequently, Cuba ransomware actors use legitimate Windows services—such as PowerShell, PsExec, and other unspecified services—and then leverage Windows Admin privileges to execute their ransomware and other processes remotely. Cuba ransomware actors compromise a victim network through the encryption of target files with the “.cuba” extension. Cuba ransomware actors have demanded at least US $74 million and received at least US $43.9 million in ransom payments.
TLP:WHITE TLP:WHITE Technical Details Cuba ransomware, upon compromise, installs and executes a CobaltStrike beacon as a service on the victim’s network via PowerShell. Once installed, the ransomware downloads two executable files, which include “pones.exe” for password acquisition and “krots.exe,” also known as KPOT, enabling the Cuba ransomware actors to write to the compromised system’s temporary (TMP) file. Once the TMP file is uploaded, the “krots.exe” file is deleted and the TMP file is executed in the compromised network. The TMP file includes Application Programming Interface (API) calls related to memory injection that, once executed, deletes itself from the system. Upon deletion of the TMP file, the compromised network begins communicating with a reported malware repository located at Montenegro-based Uniform Resource Locator (URL) teoresp.com. Further, Cuba ransomware actors use MimiKatz malware to steal credentials, and then use RDP to log into the compromised network host with a specific user account. Once an RDP connection is complete, the Cuba ransomware actors use the CobaltStrike server to communicate with the compromised user account. One of the initial PowerShell script functions allocates memory space to run a base64-encoded payload. Once this payload is loaded into memory, it can be used to reach the remote command-and-control (C2) server and then deploy the next stage of files for the ransomware. The remote C2 server is located at the malicious URL kurvalarva.com Indicators The following are characteristics of a Cuba ransomware compromise, as of mid-October 2021: Cuba Ransomware Associated Files and Hashes, as of Mid-October 2021 File Name File Path File Hash qcklo.aspx c:inetputwwwro otaspnet_client MD5: 7b6f996cc1ad4b5e131e7bf9b1c33253 SHA-1: 2841848ef59dfe7137e15119e4c9ce5e873e3607 SHA-256: b14341b1ffe9e2730394b9066c6829b4e2f59a4234765ae2e 97cfc6d4593730a haqdu.aspx c:inetputwwwro otaspnet_client MD5: 7b6f996cc1ad4b5e131e7bf9b1c33253 SHA-1: 2841848ef59dfe7137e15119e4c9ce5e873e3607 SHA-256: b14341b1ffe9e2730394b9066c6829b4e2f59a4234765ae2e 97cfc6d4593730a komar.ps1 c:windowstemp MD5: ba83831700a73661f99d38d7505b5646 SHA-1: 209ffbc8ba1e93167bca9b67e0ad3561c065595d SHA-256:
TLP:WHITE TLP:WHITE 79d6b1b6b1ecb446b0f49772bf4da63fcec6f6bfc7c2e1f4924 cb7acbb3b4f53 aa.bat c:windowstemp MD5: 3fe1a3aaca999a5db936843c9bdfea14 SHA-1: 25ebe54beb3c422ccd2d90aa8ae89087f71b0bed SHA-256: e82cc49c03320a0fb6ec3512c0ca3332eb1b40070cc53a78bc 80b77b4aba975c aa.dll c:windowstemp MD5: d907be57b5ef2af8a8b45d5f87aa4773 SHA-1: 867d41458d94e985f6b3e2bae1dfb75e14cbc57f SHA-256: 4b5eefa1727b97b6f773be3937a8cc390f0434ddc2f01dc24b 68b690fafbcc93 netping.dll c:windowstemp check.txt c:windowstemp result.txt c:windowstemp protoping.exe c:windowstemp agent32.ps1 c:windowstemp MD5: ba83831700a73661f99d38d7505b5646 SHA-1: 209ffbc8ba1e93167bca9b67e0ad3561c065595d SHA-256: 79d6b1b6b1ecb446b0f49772bf4da63fcec6f6bfc7c2e1f4924 cb7acbb3b4f53 new.dll c:programdata MD5: ee2f71faced3f5b5b202c7576f0f52b9 SHA-1: d1ff26ea3d2d2ced4b7e76d971a60533817048d7 SHA-256: 5cd95b34782ca5acf8a34d9dc184cb880a19b6edcaf4a4553f a0619b597c2f50 run.txt c:windowstemp MD5: 99c7cad7032ec5add3a21582a64bb149 SHA-1: 4de5d433af5701462517719ce097bb4c0e5676c9 SHA-256: 7f4bdf94a0e0457f41bdd1a8d8d9fc39fc383d3d0a33104882 8d391bbf727a1e agent32.bin c:windowstemp MD5: 72a60d799ae9e4f0a3443a2f96fb4896 SHA-1: a304497ff076348e098310f530779002a326c264 SHA-256: 6d5ca42906c60caa7d3e0564b011d20b87b175cbd9d44a96 673b46a82b07df68 dc.exe iv.exe ivnet.exe shar.bat psexesrv.exe 82.ps1 process 66-87.dll; install.cmd ce3a6224dae98fdaa712cfa6495cb72349f333133dbfb339c9 e90699cbe4e8e
TLP:WHITE TLP:WHITE 141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0 c33da980b69944 1d142c36c6cdd393fe543a6b7782f25a9cbafca17a1cfa0f3fc 0f5a9431dbf3f 81bdd622f0cb9d7e2ac5325a74606fa7818bd4205f37184eb a68cdcbe96942f6 d010fbb1afeb610338c49ae2425b6b7c4a9f4c469aedd096a 15b32527565d7db 7e765942d89cd3bfaca41034cd959b8d741085bd8bcedbb7 41e15ed685227a5e 05f90cad3627f5253e1a03156793bc6cada7f4ce0d510f5513 9f0285fcff589d EEDC68C92C50BE88C5935651D6B772D4728C3566581BE1F 24D4CE7EF63A76D2E 3468C6DEB3827F5C161A8622E7D794444C7B38225F6F150 02193D2572A4D132E 02B17677BEC8A4FBB77FDDB347BFDCC651FF2B25187131C CE45C326E3CF42FE5 188E66158E0F96AD1FFD3F090E2570B8644CD80733C7AAF B931E893A4F280165 Cuba Ransomware Associated Email Addresses, as of Mid-October 2021 Email Provider Email Addresses Protonmail ad_default@protonmail.com admansmit001@protonmail.com afts_agent@protonmail.com helpadmin1@protonmail.com helpallen@protonmail.com helpallen@protonmail.com mail_supportRG@protonmail.com roselondon@protonmail.com system_admC@protonmail.com Protonmail.ch dark_sysadmin@protonmail.ch iracomp1@protonmail.ch iracomp3@protonmail.ch LR_FWS_H2M_ET@protonmail.ch under_amur@protonmail.ch Cock.li cloudkey@cock.li fiaadministrator@cock.li frankstore@cock.li helpallen@cock.li iracomp@cock.li ivantisupport@cock.li
TLP:WHITE TLP:WHITE logme@cock.li mfra@cock.li morebeerplease@cock.li roselondon@cock.li Cuba-supp.com admin@cuba-supp.com Cuba Ransomware Associated Jabber Address, as of Mid-October 2021 cuba_support@exploit.im IP Addresses Associated with Cuba Ransomware, as of Mid-October 2021 37.120.193.123 40.115.162.72 157.245.70.127 31.44.184.82 185.153.199.176 Bitcoin Wallet Receiving Ransom Payments, as of Mid-October 2021 bc1qvpk8ksl3my6kjezjss9p28cqj4dmpmmjx5yl3y bc1qhtwfcysclc7pck2y3vmjtpzkaezhcm6perc99x bc1qft3s53ur5uq5ru6sl3zyr247dpr55mnggwucd3 bc1qp7h9fszlqxjwyfhv0upparnsgx56x7v7wfx4x7 Sample Cuba Ransom Note, as of Mid-October 2021 Good day. All your files are encrypted. For decryption contact us. Write here iracomp3@protonmail.com We also inform that your databases, ftp server and file server were downloaded by us to our servers. * Do not rename encrypted files * Do not try to decrypto your data using third party software, it may cause permanent data loss. Information Requested: The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file. The FBI does not encourage paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target
TLP:WHITE TLP:WHITE additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, the FBI understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees and customers. Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to promptly report ransomware incidents to your local field office. Doing so provides the FBI with critical information needed to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under US law. Recommended Mitigations: FBI recommends network defenders to apply the following mitigations to reduce the risk of compromise by Cuba ransomware:  Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access. Note: Devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each individual administrative account.  Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.  Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.  Remove unnecessary access to administrative shares, especially ADMIN$ and C$. If ADMIN$ and C$ are deemed operationally necessary, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity.  Use a host-based firewall to only allow connections to administrative shares via server message block (SMB) from a limited set of administrator machines. Adversaries use system and network discovery techniques for network and system visibility and mapping. To limit an adversary from learning the organization’s enterprise environment, limit common system and network discovery techniques by taking the following actions:  Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.  Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral
TLP:WHITE TLP:WHITE movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.  Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the AD level when the account is not in direct need. When the account is needed, individual users submit their requests through an automated process that enables access to a system, but only for a set timeframe to support task completion.  Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities that run from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.  Maintain offline backups of data, and regularly maintain backup and restoration. This practice will ensure the organization will not be severely interrupted, have irretrievable data.  Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure. Additional Resources For additional resources related to the prevention and mitigation of ransomware, go to https://www.stopransomware.gov as well as the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide. Stopransomware.gov is the Government’s new, official one-stop location for resources to tackle ransomware more effectively.
TLP:WHITE TLP:WHITE Reporting Notice The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office. With regards to specific information that appears in this communication; the context, individual indicators, particularly those of a non- deterministic or ephemeral nature (such as filenames or IP addresses), may not be indicative of a compromise. Indicators should always be evaluated in light of your complete information security situation. Field office contacts can be identified at www.fbi.gov/contact-us/field-offices. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Administrative Note This product is marked TLP:WHITE. Subject to standard copyright rules, the information in this product may be shared without restriction. Your Feedback Regarding this Product is Critical Was this product of value to your organization? Was the content clear and concise? Your comments are very important to us and can be submitted anonymously. Please take a moment to complete the survey at the link below. Feedback should be specific to your experience with our written products to enable the FBI to make quick and continuous improvements to such products. Feedback may be submitted online here: Please note that this survey is for feedback on content and value only. Reporting of technical information regarding FLASH reports must be submitted through your local FBI office. https://www.ic3.gov/PIFSurvey

Recommended

Fbi cyber division bulletin on tools reportedly used by opm hackers
Fbi cyber division bulletin on tools reportedly used by opm hackersFbi cyber division bulletin on tools reportedly used by opm hackers
Fbi cyber division bulletin on tools reportedly used by opm hackersRepentSinner
 
Carbanak apt eng
Carbanak apt engCarbanak apt eng
Carbanak apt engMerve Kara
 
Ce hv8 module 04 enumeration
Ce hv8 module 04 enumerationCe hv8 module 04 enumeration
Ce hv8 module 04 enumerationMehrdad Jingoism
 
Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.Travis
 
External threats-to-information-system
External threats-to-information-systemExternal threats-to-information-system
External threats-to-information-systemSouman Guha
 
Anatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachAnatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachIBM Security
 
Hack the hack
Hack the hackHack the hack
Hack the hackShakti Ranjan
 
Zeus
ZeusZeus
ZeusMaGn3t0
 

Recommended

Fbi cyber division bulletin on tools reportedly used by opm hackers
Fbi cyber division bulletin on tools reportedly used by opm hackersFbi cyber division bulletin on tools reportedly used by opm hackers
Fbi cyber division bulletin on tools reportedly used by opm hackersRepentSinner
 
Carbanak apt eng
Carbanak apt engCarbanak apt eng
Carbanak apt engMerve Kara
 
Ce hv8 module 04 enumeration
Ce hv8 module 04 enumerationCe hv8 module 04 enumeration
Ce hv8 module 04 enumerationMehrdad Jingoism
 
Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.Travis
 
External threats-to-information-system
External threats-to-information-systemExternal threats-to-information-system
External threats-to-information-systemSouman Guha
 
Anatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachAnatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachIBM Security
 
Hack the hack
Hack the hackHack the hack
Hack the hackShakti Ranjan
 
Zeus
ZeusZeus
ZeusMaGn3t0
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9Geoff Pesimo
 
Security & threats Presentation => (Presenter: Komal Mehfooz)
Security & threats Presentation => (Presenter: Komal Mehfooz) Security & threats Presentation => (Presenter: Komal Mehfooz)
Security & threats Presentation => (Presenter: Komal Mehfooz) Komal Mehfooz
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiYury Chemerkin
 
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...David Sweigert
 
Ransomware Review 2017
Ransomware Review 2017Ransomware Review 2017
Ransomware Review 2017Dryden Geary
 
Repost _Healthcare
Repost _HealthcareRepost _Healthcare
Repost _HealthcareDr. Rachael Fisher
 
HR's Critical Role in Protecting Company Data
HR's Critical Role in Protecting Company DataHR's Critical Role in Protecting Company Data
HR's Critical Role in Protecting Company DataParsons Behle & Latimer
 
Warrantless governmental surveillance through the use of emerging technology ...
Warrantless governmental surveillance through the use of emerging technology ...Warrantless governmental surveillance through the use of emerging technology ...
Warrantless governmental surveillance through the use of emerging technology ...Vania_Chaker
 
E-threat landscape report H1 2012
E-threat landscape report H1 2012E-threat landscape report H1 2012
E-threat landscape report H1 2012BitDefenderRo
 
Malware from the Consumer Jungle
Malware from the Consumer JungleMalware from the Consumer Jungle
Malware from the Consumer JungleJason S
 
Us government agencies ip rang
Us government agencies ip rangUs government agencies ip rang
Us government agencies ip rangRepentSinner
 
Symantec Intelligence Report November 2014
Symantec Intelligence Report November 2014Symantec Intelligence Report November 2014
Symantec Intelligence Report November 2014Symantec
 
H1 2011 E-Threat Landscape Report
H1 2011 E-Threat Landscape ReportH1 2011 E-Threat Landscape Report
H1 2011 E-Threat Landscape ReportBitdefender
 
cyber attacks in May , breaches in May
cyber attacks in May , breaches in Maycyber attacks in May , breaches in May
cyber attacks in May , breaches in MaySathish Kumar K
 
Carbanak Rapor Kaspersky
Carbanak Rapor KasperskyCarbanak Rapor Kaspersky
Carbanak Rapor KasperskyZafer YILMAZKARA
 
Carbanak apt eng
Carbanak apt engCarbanak apt eng
Carbanak apt engMerve Kara
 
Reverse engineering malware
Reverse engineering malwareReverse engineering malware
Reverse engineering malwareCysinfo Cyber Security Community
 
Comparative Study of Fileless Ransomware
Comparative Study of Fileless RansomwareComparative Study of Fileless Ransomware
Comparative Study of Fileless Ransomwareijtsrd
 
RIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdfRIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdfRifDhy22
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
 
HCA 530, Week2, Psa i-091516-ransomware notice from fbi
HCA 530, Week2, Psa i-091516-ransomware notice from fbiHCA 530, Week2, Psa i-091516-ransomware notice from fbi
HCA 530, Week2, Psa i-091516-ransomware notice from fbiMatthew J McMahon
 
Ransomware - The Growing Threat
Ransomware - The Growing ThreatRansomware - The Growing Threat
Ransomware - The Growing ThreatNick Miller
 

More Related Content

What's hot

Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9Geoff Pesimo
 
Security & threats Presentation => (Presenter: Komal Mehfooz)
Security & threats Presentation => (Presenter: Komal Mehfooz) Security & threats Presentation => (Presenter: Komal Mehfooz)
Security & threats Presentation => (Presenter: Komal Mehfooz) Komal Mehfooz
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiYury Chemerkin
 
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...David Sweigert
 
Ransomware Review 2017
Ransomware Review 2017Ransomware Review 2017
Ransomware Review 2017Dryden Geary
 
HR's Critical Role in Protecting Company Data
HR's Critical Role in Protecting Company DataHR's Critical Role in Protecting Company Data
HR's Critical Role in Protecting Company DataParsons Behle & Latimer
 
Warrantless governmental surveillance through the use of emerging technology ...
Warrantless governmental surveillance through the use of emerging technology ...Warrantless governmental surveillance through the use of emerging technology ...
Warrantless governmental surveillance through the use of emerging technology ...Vania_Chaker
 
E-threat landscape report H1 2012
E-threat landscape report H1 2012E-threat landscape report H1 2012
E-threat landscape report H1 2012BitDefenderRo
 
Malware from the Consumer Jungle
Malware from the Consumer JungleMalware from the Consumer Jungle
Malware from the Consumer JungleJason S
 
Us government agencies ip rang
Us government agencies ip rangUs government agencies ip rang
Us government agencies ip rangRepentSinner
 
Symantec Intelligence Report November 2014
Symantec Intelligence Report November 2014Symantec Intelligence Report November 2014
Symantec Intelligence Report November 2014Symantec
 
H1 2011 E-Threat Landscape Report
H1 2011 E-Threat Landscape ReportH1 2011 E-Threat Landscape Report
H1 2011 E-Threat Landscape ReportBitdefender
 

What's hot (13)

Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
 
Security & threats Presentation => (Presenter: Komal Mehfooz)
Security & threats Presentation => (Presenter: Komal Mehfooz) Security & threats Presentation => (Presenter: Komal Mehfooz)
Security & threats Presentation => (Presenter: Komal Mehfooz)
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
 
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
 
Ransomware Review 2017
Ransomware Review 2017Ransomware Review 2017
Ransomware Review 2017
 
Repost _Healthcare
Repost _HealthcareRepost _Healthcare
Repost _Healthcare
 
HR's Critical Role in Protecting Company Data
HR's Critical Role in Protecting Company DataHR's Critical Role in Protecting Company Data
HR's Critical Role in Protecting Company Data
 
Warrantless governmental surveillance through the use of emerging technology ...
Warrantless governmental surveillance through the use of emerging technology ...Warrantless governmental surveillance through the use of emerging technology ...
Warrantless governmental surveillance through the use of emerging technology ...
 
E-threat landscape report H1 2012
E-threat landscape report H1 2012E-threat landscape report H1 2012
E-threat landscape report H1 2012
 
Malware from the Consumer Jungle
Malware from the Consumer JungleMalware from the Consumer Jungle
Malware from the Consumer Jungle
 
Us government agencies ip rang
Us government agencies ip rangUs government agencies ip rang
Us government agencies ip rang
 
Symantec Intelligence Report November 2014
Symantec Intelligence Report November 2014Symantec Intelligence Report November 2014
Symantec Intelligence Report November 2014
 
H1 2011 E-Threat Landscape Report
H1 2011 E-Threat Landscape ReportH1 2011 E-Threat Landscape Report
H1 2011 E-Threat Landscape Report
 

Similar to Surat peringatan kilat kepada Kelompok Ransomware Kuba

cyber attacks in May , breaches in May
cyber attacks in May , breaches in Maycyber attacks in May , breaches in May
cyber attacks in May , breaches in MaySathish Kumar K
 
Carbanak Rapor Kaspersky
Carbanak Rapor KasperskyCarbanak Rapor Kaspersky
Carbanak Rapor KasperskyZafer YILMAZKARA
 
Carbanak apt eng
Carbanak apt engCarbanak apt eng
Carbanak apt engMerve Kara
 
Comparative Study of Fileless Ransomware
Comparative Study of Fileless RansomwareComparative Study of Fileless Ransomware
Comparative Study of Fileless Ransomwareijtsrd
 
RIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdfRIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdfRifDhy22
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
 
HCA 530, Week2, Psa i-091516-ransomware notice from fbi
HCA 530, Week2, Psa i-091516-ransomware notice from fbiHCA 530, Week2, Psa i-091516-ransomware notice from fbi
HCA 530, Week2, Psa i-091516-ransomware notice from fbiMatthew J McMahon
 
Ransomware - The Growing Threat
Ransomware - The Growing ThreatRansomware - The Growing Threat
Ransomware - The Growing ThreatNick Miller
 
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...RSIS International
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...AshishDPatel1
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...RSIS International
 
Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)securityxploded
 
Reversing and decrypting communications of apt malware
Reversing and decrypting communications of apt malwareReversing and decrypting communications of apt malware
Reversing and decrypting communications of apt malwareCysinfo Cyber Security Community
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec Technology and Consulting
 
Parag presentation on ethical hacking
Parag presentation on ethical hackingParag presentation on ethical hacking
Parag presentation on ethical hackingparag101
 
RANSOMWARE FINAL.pptx
RANSOMWARE FINAL.pptxRANSOMWARE FINAL.pptx
RANSOMWARE FINAL.pptxMargaeryBacareza
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxdawitTerefe5
 

Similar to Surat peringatan kilat kepada Kelompok Ransomware Kuba (20)

cyber attacks in May , breaches in May
cyber attacks in May , breaches in Maycyber attacks in May , breaches in May
cyber attacks in May , breaches in May
 
Carbanak Rapor Kaspersky
Carbanak Rapor KasperskyCarbanak Rapor Kaspersky
Carbanak Rapor Kaspersky
 
Carbanak apt eng
Carbanak apt engCarbanak apt eng
Carbanak apt eng
 
Reverse engineering malware
Reverse engineering malwareReverse engineering malware
Reverse engineering malware
 
Comparative Study of Fileless Ransomware
Comparative Study of Fileless RansomwareComparative Study of Fileless Ransomware
Comparative Study of Fileless Ransomware
 
RIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdfRIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdf
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systems
 
HCA 530, Week2, Psa i-091516-ransomware notice from fbi
HCA 530, Week2, Psa i-091516-ransomware notice from fbiHCA 530, Week2, Psa i-091516-ransomware notice from fbi
HCA 530, Week2, Psa i-091516-ransomware notice from fbi
 
Ransomware - The Growing Threat
Ransomware - The Growing ThreatRansomware - The Growing Threat
Ransomware - The Growing Threat
 
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
 
Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)
 
News bytes Sept-2011
News bytes Sept-2011News bytes Sept-2011
News bytes Sept-2011
 
Reversing and decrypting communications of apt malware
Reversing and decrypting communications of apt malwareReversing and decrypting communications of apt malware
Reversing and decrypting communications of apt malware
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
 
Ransomware
RansomwareRansomware
Ransomware
 
Parag presentation on ethical hacking
Parag presentation on ethical hackingParag presentation on ethical hacking
Parag presentation on ethical hacking
 
RANSOMWARE FINAL.pptx
RANSOMWARE FINAL.pptxRANSOMWARE FINAL.pptx
RANSOMWARE FINAL.pptx
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptx
 

Recently uploaded

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel AraĂşjo
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 

Recently uploaded (20)

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 

Surat peringatan kilat kepada Kelompok Ransomware Kuba

  • 1. FLASH Number The following information is being provided by the FBI, with no guarantees or warranties, for potential use at the sole discretion of recipients to protect against cyber threats. This data is provided in order to help cyber security professionals and system administrators to guard against the persistent malicious actions of cyber actors. This FLASH was coordinated with DHS/CISA. This FLASH has been released TLP:WHITE WE NEED YOUR HELP! If you identify any suspicious activity within your enterprise or have related information, please contact your local FBI Cyber Squad immediately with respect to the procedures outlined in the Reporting Notice section of this message. *Note: By reporting any related information to FBI Cyber Squads, you are assisting in sharing information that allows the FBI to track malicious actors and coordinate with private industry and the United States Government to prevent future intrusions and attacks. TLP:WHITE TLP:WHITE 02 Dec 2021 CU-000156-MW Indicators of Compromise Associated with Cuba Ransomware Summary The FBI has identified, as of early November 2021 that Cuba ransomware actors have compromised at least 49 entities in five critical infrastructure sectors, including but not limited to the financial, government, healthcare, manufacturing, and information technology sectors. Cuba ransomware is distributed through Hancitor malware, a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims’ networks. Hancitor malware actors use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim’s network. Subsequently, Cuba ransomware actors use legitimate Windows services—such as PowerShell, PsExec, and other unspecified services—and then leverage Windows Admin privileges to execute their ransomware and other processes remotely. Cuba ransomware actors compromise a victim network through the encryption of target files with the “.cuba” extension. Cuba ransomware actors have demanded at least US $74 million and received at least US $43.9 million in ransom payments.
  • 2. TLP:WHITE TLP:WHITE Technical Details Cuba ransomware, upon compromise, installs and executes a CobaltStrike beacon as a service on the victim’s network via PowerShell. Once installed, the ransomware downloads two executable files, which include “pones.exe” for password acquisition and “krots.exe,” also known as KPOT, enabling the Cuba ransomware actors to write to the compromised system’s temporary (TMP) file. Once the TMP file is uploaded, the “krots.exe” file is deleted and the TMP file is executed in the compromised network. The TMP file includes Application Programming Interface (API) calls related to memory injection that, once executed, deletes itself from the system. Upon deletion of the TMP file, the compromised network begins communicating with a reported malware repository located at Montenegro-based Uniform Resource Locator (URL) teoresp.com. Further, Cuba ransomware actors use MimiKatz malware to steal credentials, and then use RDP to log into the compromised network host with a specific user account. Once an RDP connection is complete, the Cuba ransomware actors use the CobaltStrike server to communicate with the compromised user account. One of the initial PowerShell script functions allocates memory space to run a base64-encoded payload. Once this payload is loaded into memory, it can be used to reach the remote command-and-control (C2) server and then deploy the next stage of files for the ransomware. The remote C2 server is located at the malicious URL kurvalarva.com Indicators The following are characteristics of a Cuba ransomware compromise, as of mid-October 2021: Cuba Ransomware Associated Files and Hashes, as of Mid-October 2021 File Name File Path File Hash qcklo.aspx c:inetputwwwro otaspnet_client MD5: 7b6f996cc1ad4b5e131e7bf9b1c33253 SHA-1: 2841848ef59dfe7137e15119e4c9ce5e873e3607 SHA-256: b14341b1ffe9e2730394b9066c6829b4e2f59a4234765ae2e 97cfc6d4593730a haqdu.aspx c:inetputwwwro otaspnet_client MD5: 7b6f996cc1ad4b5e131e7bf9b1c33253 SHA-1: 2841848ef59dfe7137e15119e4c9ce5e873e3607 SHA-256: b14341b1ffe9e2730394b9066c6829b4e2f59a4234765ae2e 97cfc6d4593730a komar.ps1 c:windowstemp MD5: ba83831700a73661f99d38d7505b5646 SHA-1: 209ffbc8ba1e93167bca9b67e0ad3561c065595d SHA-256:
  • 3. TLP:WHITE TLP:WHITE 79d6b1b6b1ecb446b0f49772bf4da63fcec6f6bfc7c2e1f4924 cb7acbb3b4f53 aa.bat c:windowstemp MD5: 3fe1a3aaca999a5db936843c9bdfea14 SHA-1: 25ebe54beb3c422ccd2d90aa8ae89087f71b0bed SHA-256: e82cc49c03320a0fb6ec3512c0ca3332eb1b40070cc53a78bc 80b77b4aba975c aa.dll c:windowstemp MD5: d907be57b5ef2af8a8b45d5f87aa4773 SHA-1: 867d41458d94e985f6b3e2bae1dfb75e14cbc57f SHA-256: 4b5eefa1727b97b6f773be3937a8cc390f0434ddc2f01dc24b 68b690fafbcc93 netping.dll c:windowstemp check.txt c:windowstemp result.txt c:windowstemp protoping.exe c:windowstemp agent32.ps1 c:windowstemp MD5: ba83831700a73661f99d38d7505b5646 SHA-1: 209ffbc8ba1e93167bca9b67e0ad3561c065595d SHA-256: 79d6b1b6b1ecb446b0f49772bf4da63fcec6f6bfc7c2e1f4924 cb7acbb3b4f53 new.dll c:programdata MD5: ee2f71faced3f5b5b202c7576f0f52b9 SHA-1: d1ff26ea3d2d2ced4b7e76d971a60533817048d7 SHA-256: 5cd95b34782ca5acf8a34d9dc184cb880a19b6edcaf4a4553f a0619b597c2f50 run.txt c:windowstemp MD5: 99c7cad7032ec5add3a21582a64bb149 SHA-1: 4de5d433af5701462517719ce097bb4c0e5676c9 SHA-256: 7f4bdf94a0e0457f41bdd1a8d8d9fc39fc383d3d0a33104882 8d391bbf727a1e agent32.bin c:windowstemp MD5: 72a60d799ae9e4f0a3443a2f96fb4896 SHA-1: a304497ff076348e098310f530779002a326c264 SHA-256: 6d5ca42906c60caa7d3e0564b011d20b87b175cbd9d44a96 673b46a82b07df68 dc.exe iv.exe ivnet.exe shar.bat psexesrv.exe 82.ps1 process 66-87.dll; install.cmd ce3a6224dae98fdaa712cfa6495cb72349f333133dbfb339c9 e90699cbe4e8e
  • 4. TLP:WHITE TLP:WHITE 141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0 c33da980b69944 1d142c36c6cdd393fe543a6b7782f25a9cbafca17a1cfa0f3fc 0f5a9431dbf3f 81bdd622f0cb9d7e2ac5325a74606fa7818bd4205f37184eb a68cdcbe96942f6 d010fbb1afeb610338c49ae2425b6b7c4a9f4c469aedd096a 15b32527565d7db 7e765942d89cd3bfaca41034cd959b8d741085bd8bcedbb7 41e15ed685227a5e 05f90cad3627f5253e1a03156793bc6cada7f4ce0d510f5513 9f0285fcff589d EEDC68C92C50BE88C5935651D6B772D4728C3566581BE1F 24D4CE7EF63A76D2E 3468C6DEB3827F5C161A8622E7D794444C7B38225F6F150 02193D2572A4D132E 02B17677BEC8A4FBB77FDDB347BFDCC651FF2B25187131C CE45C326E3CF42FE5 188E66158E0F96AD1FFD3F090E2570B8644CD80733C7AAF B931E893A4F280165 Cuba Ransomware Associated Email Addresses, as of Mid-October 2021 Email Provider Email Addresses Protonmail ad_default@protonmail.com admansmit001@protonmail.com afts_agent@protonmail.com helpadmin1@protonmail.com helpallen@protonmail.com helpallen@protonmail.com mail_supportRG@protonmail.com roselondon@protonmail.com system_admC@protonmail.com Protonmail.ch dark_sysadmin@protonmail.ch iracomp1@protonmail.ch iracomp3@protonmail.ch LR_FWS_H2M_ET@protonmail.ch under_amur@protonmail.ch Cock.li cloudkey@cock.li fiaadministrator@cock.li frankstore@cock.li helpallen@cock.li iracomp@cock.li ivantisupport@cock.li
  • 5. TLP:WHITE TLP:WHITE logme@cock.li mfra@cock.li morebeerplease@cock.li roselondon@cock.li Cuba-supp.com admin@cuba-supp.com Cuba Ransomware Associated Jabber Address, as of Mid-October 2021 cuba_support@exploit.im IP Addresses Associated with Cuba Ransomware, as of Mid-October 2021 37.120.193.123 40.115.162.72 157.245.70.127 31.44.184.82 185.153.199.176 Bitcoin Wallet Receiving Ransom Payments, as of Mid-October 2021 bc1qvpk8ksl3my6kjezjss9p28cqj4dmpmmjx5yl3y bc1qhtwfcysclc7pck2y3vmjtpzkaezhcm6perc99x bc1qft3s53ur5uq5ru6sl3zyr247dpr55mnggwucd3 bc1qp7h9fszlqxjwyfhv0upparnsgx56x7v7wfx4x7 Sample Cuba Ransom Note, as of Mid-October 2021 Good day. All your files are encrypted. For decryption contact us. Write here iracomp3@protonmail.com We also inform that your databases, ftp server and file server were downloaded by us to our servers. * Do not rename encrypted files * Do not try to decrypto your data using third party software, it may cause permanent data loss. Information Requested: The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file. The FBI does not encourage paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target
  • 6. TLP:WHITE TLP:WHITE additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, the FBI understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees and customers. Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to promptly report ransomware incidents to your local field office. Doing so provides the FBI with critical information needed to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under US law. Recommended Mitigations: FBI recommends network defenders to apply the following mitigations to reduce the risk of compromise by Cuba ransomware: ď‚· Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access. Note: Devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each individual administrative account. ď‚· Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems. ď‚· Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. ď‚· Remove unnecessary access to administrative shares, especially ADMIN$ and C$. If ADMIN$ and C$ are deemed operationally necessary, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity. ď‚· Use a host-based firewall to only allow connections to administrative shares via server message block (SMB) from a limited set of administrator machines. Adversaries use system and network discovery techniques for network and system visibility and mapping. To limit an adversary from learning the organization’s enterprise environment, limit common system and network discovery techniques by taking the following actions: ď‚· Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement. ď‚· Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral
  • 7. TLP:WHITE TLP:WHITE movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host. ď‚· Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the AD level when the account is not in direct need. When the account is needed, individual users submit their requests through an automated process that enables access to a system, but only for a set timeframe to support task completion. ď‚· Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities that run from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally. ď‚· Maintain offline backups of data, and regularly maintain backup and restoration. This practice will ensure the organization will not be severely interrupted, have irretrievable data. ď‚· Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure. Additional Resources For additional resources related to the prevention and mitigation of ransomware, go to https://www.stopransomware.gov as well as the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide. Stopransomware.gov is the Government’s new, official one-stop location for resources to tackle ransomware more effectively.
  • 8. TLP:WHITE TLP:WHITE Reporting Notice The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office. With regards to specific information that appears in this communication; the context, individual indicators, particularly those of a non- deterministic or ephemeral nature (such as filenames or IP addresses), may not be indicative of a compromise. Indicators should always be evaluated in light of your complete information security situation. Field office contacts can be identified at www.fbi.gov/contact-us/field-offices. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Administrative Note This product is marked TLP:WHITE. Subject to standard copyright rules, the information in this product may be shared without restriction. Your Feedback Regarding this Product is Critical Was this product of value to your organization? Was the content clear and concise? Your comments are very important to us and can be submitted anonymously. Please take a moment to complete the survey at the link below. Feedback should be specific to your experience with our written products to enable the FBI to make quick and continuous improvements to such products. Feedback may be submitted online here: Please note that this survey is for feedback on content and value only. Reporting of technical information regarding FLASH reports must be submitted through your local FBI office. https://www.ic3.gov/PIFSurvey