The UNC2596 ransomware group, also known as Cuba, is abusing vulnerabilities found in Microsoft Exchange to compromise corporate endpoints, harvest data, and ultimately, deploy the COLDDRAW malware.
Cybersecurity experts from Mandiant caught on the ransomware group’s trail, saying it mostly hunts down companies in the United States and Canada.
The experts’ report states the group has been using ProxyShell and ProxyLogon vulnerabilities at least since August 2021 to plant various web shells, Remote Access Trojans (RAT), and backdoors, on compromised systems.
Among the backdoors used, CobaltStrike and NetSupport Manager seem to be the most popular choices, but they often use home-grown products, dubbed “Bughatch”, “Wedgecut”, “Burntcigar”, or “Eck”. Some of these are used as reconnaissance tools, others to terminate processes and escalate privileges.
The difference between UNC2596 and other ransomware groups out there, is that this group does not send exfiltrated data towards cloud services. Instead, they use private infrastructure.
A growing ransomware actor
The Cuba ransomware group was reportedly formed in late 2019, and after a relatively slow start, picked up its pace in 2020 and 2021. In May 2021, the group teamed up with Hancitor malware spammers, successfully phishing out passwords for corporate networks with malicious DocuSign files.
In late 2021, the FBI issued an advisory about the group which claimed the group breached 49 critical infrastructure organizations in the US (the Cuba leak website had fewer than 30 victims listed). Its operations earned it almost $44 million, the law enforcement agency added. However, it demanded $74 million.
Despite the ransom demands, both unpaid and paid, being counted in double-digit millions, the group is relatively small, compared to some of the biggest players in the ransomware game.
Cybersecurity researchers from Emsisoft, for example, said last year there had been 105 Cuba ransomware submissions, while Conti has had more than 600.
Via: BleepingComputer
