Inactive ransomware operator
← All groupsCuba
aka COLDDRAW, Fidel · 105 victims indexed · first seen 5 years ago · last activity 2 years ago
105
Victims indexed
#71 of 348 tracked operators
3y 0m
Active period
Feb 2021 → Feb 2024
6
Countries hit
top United States · 4
At a glance
- Status
- inactive
- Aliases
- COLDDRAW, Fidel
- First seen
- 5 years ago
- Last activity
- 2 years ago
- Onion sites
- 2 known endpoints
- Primary sector
- Financial · 1 hits
About
The Cuba ransomware group is a financially-motivated cybercriminal organization that emerged in February 2021 and has since conducted attacks against at least 105 known victims globally. The group operates as an independent ransomware operation with suspected ties to Russian-speaking cybercriminals, though their exact country of origin remains unconfirmed by law enforcement agencies. Cuba ransomware operators primarily gain initial access through compromised Remote Desktop Protocol (RDP) credentials, exploitation of Microsoft Exchange vulnerabilities, and phishing campaigns, subsequently deploying their custom Cuba ransomware payload which encrypts victim files while exfiltrating sensitive data before encryption as part of their double extortion strategy. The group has particularly targeted organizations in the United States, United Kingdom, France, Australia, and Belgium, with a notable focus on critical infrastructure sectors including healthcare, financial services, manufacturing, and energy companies. According to FBI reporting, the Cuba ransomware group has demanded ransom payments ranging from hundreds of thousands to millions of dollars from their victims. As of recent threat intelligence assessments, the Cuba ransomware group remains active and continues to pose a significant threat to organizations across multiple sectors and geographic regions.
References
24 linksExternal sources curated by the MISP threat-intel community.
- mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf
- digital.nhs.uk/cyber-alerts/2021/cc-3855
- blog.group-ib.com/hancitor-cuba-ransomware
- docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
- id-ransomware.blogspot.com/2019/12/cuba-ransomware.html
- lab52.io/blog/cuba-ransomware-analysis/
- shared-public-reports.s3-eu-west-1.amazonaws.com/Cuba+Ransomware+Group+-+on+a+roll.pdf
- unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/
- aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
- bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/
- elastic.co/security-labs/cuba-ransomware-campaign-analysis
- elastic.co/security-labs/cuba-ransomware-malware-analysis
- fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more
- guidepointsecurity.com/blog/using-hindsight-to-close-a-cuba-cold-case/
- ic3.gov/Media/News/2021/211203-2.pdf
- it-connect.fr/le-ransomware-cuba-sen-prend-aux-serveurs-exchange/
- mandiant.com/resources/unc2596-cuba-ransomware
- mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-threat-report-a-quick-primer-on-cuba-ransomware
- trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html
- ransomlook.io/group/cuba
Timeline
21 months2021-02-01T00:00:00+00:002024-02-01T00:00:00+00:00
Top countries
🇺🇸 United States
4
🇬🇧 United Kingdom
3
🇫🇷 France
1
🇦🇺 Australia
1
🇧🇪 Belgium
1
🇹🇼 Taiwan
1
Top sectors
Financial
1
Healthcare
1
Manufacturing
1
Energy
1
Finance
1
MITRE ATT&CK
11 techniques · 10 tacticsTactics
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessLateral MovementCollectionExfiltrationImpact
Techniques
- T1190Exploit Public-Facing Application
- T1566Phishing
- T1059Command and Scripting Interpreter
- T1053Scheduled Task/Job
- T1078Valid Accounts
- T1027Obfuscated Files or Information
- T1003OS Credential Dumping
- T1021Remote Services
- T1005Data from Local System
- T1041Exfiltration Over C2 Channel
- T1486Data Encrypted for Impact
Recent victims
Loading…
Onion infrastructure
2 known- http://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion
- http://cuba4mp6ximo2zlo.onion
Source
Updated 2 years agoData on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.