The ransomware group behind “Cuba” (aka COLDDRAW) has received more than $60 million in ransom payments and compromised over 100 entities across the globe as of August 2022. The Cybersecurity & Infrastructure Security Agency (CISA) issued a new advisory to provide network defenders tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) associated with the Cuba ransomware.
The CISA campaign, known as #StopRansomware: Cuba Ransomware updates the December 2021 FBI Flash: IOCs of Associated with Cuba Ransomware.
The updates include:
- FBI has identified a sharp increase in the both the number of compromised U.S. entities and the ransom amounts demanded by Cuba ransomware actors.
- Since spring 2022, Cuba ransomware actors have expanded their TTPs.
- Third-party and open-source reports have identified a possible link between Cuba ransomware actors, RomCom Remote Access Trojan (RAT) actors, and Industrial Spy ransomware actors.
The group responsible for this ransomware—known as “Tropical Scorpius”—has targeted the financial, government, healthcare, manufacturing, and IT sectors.
Despite the ransomware name “Cuba”, there is no evidence to suggest it stems from the country or Cuban citizens, per The Hacker News.
CISA advises network defenders to visit StopRansomware.gov for additional ransomware protection, detection, and response.
