Skip to main content

Operator dossier

Cuba (also tracked as COLDDRAW, Fidel) is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 105 public victims claimed by this operator between February 3, 2021 and February 1, 2024. The Cuba ransomware group is a financially-motivated cybercriminal organization that emerged in February 2021 and has since conducted attacks against at least 105 known victims globally. The group operates as an independent ransomware operation with suspected ties to Russian-speaking cybercriminals, though their exact country of origin remains unconfirmed by law enforcement agencies. Cuba ransomware operators primarily gain initial access through compromised Remote Desktop Protocol (RDP) credentials, exploitation of Microsoft Exchange vulnerabilities, and phishing campaigns, subsequently deploying their custom Cuba ransomware payload which encrypts victim files while exfiltrating sensitive data before encryption as part of their double extortion strategy. The group has particularly targeted organizations in the United States, United Kingdom, France, Australia, and Belgium, with a notable focus on critical infrastructure sectors including healthcare, financial services, manufacturing, and energy companies. According to FBI reporting, the Cuba ransomware group has demanded ransom payments ranging from hundreds of thousands to millions of dollars from their victims. As of recent threat intelligence assessments, the Cuba ransomware group remains active and continues to pose a significant threat to organizations across multiple sectors and geographic regions.

Most-targeted sectors

Most-affected countries

Recent disclosures by Cuba

All 105 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Cuba

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

Cuba

aka COLDDRAW, Fidel · 105 victims indexed · first seen 5 years ago · last activity 2 years ago

105
Victims indexed
#71 of 364 tracked operators
3y 0m
Active period
Feb 2021 → Feb 2024
6
Countries hit
top United States · 4

At a glance

Status
inactive
Aliases
COLDDRAW, Fidel
First seen
5 years ago
Last activity
2 years ago
Onion sites
2 known endpoints
Primary sector
Financial · 1 hits

About

The Cuba ransomware group is a financially-motivated cybercriminal organization that emerged in February 2021 and has since conducted attacks against at least 105 known victims globally. The group operates as an independent ransomware operation with suspected ties to Russian-speaking cybercriminals, though their exact country of origin remains unconfirmed by law enforcement agencies. Cuba ransomware operators primarily gain initial access through compromised Remote Desktop Protocol (RDP) credentials, exploitation of Microsoft Exchange vulnerabilities, and phishing campaigns, subsequently deploying their custom Cuba ransomware payload which encrypts victim files while exfiltrating sensitive data before encryption as part of their double extortion strategy. The group has particularly targeted organizations in the United States, United Kingdom, France, Australia, and Belgium, with a notable focus on critical infrastructure sectors including healthcare, financial services, manufacturing, and energy companies. According to FBI reporting, the Cuba ransomware group has demanded ransom payments ranging from hundreds of thousands to millions of dollars from their victims. As of recent threat intelligence assessments, the Cuba ransomware group remains active and continues to pose a significant threat to organizations across multiple sectors and geographic regions.

References

24 links

External sources curated by the MISP threat-intel community.

Timeline

21 months
2021-02-01T00:00:00+00:00 · 12021-09-01T00:00:00+00:00 · 62021-12-01T00:00:00+00:00 · 62022-01-01T00:00:00+00:00 · 82022-02-01T00:00:00+00:00 · 62022-03-01T00:00:00+00:00 · 42022-04-01T00:00:00+00:00 · 42022-05-01T00:00:00+00:00 · 22022-06-01T00:00:00+00:00 · 22022-07-01T00:00:00+00:00 · 22022-08-01T00:00:00+00:00 · 12022-09-01T00:00:00+00:00 · 12022-11-01T00:00:00+00:00 · 402022-12-01T00:00:00+00:00 · 62023-05-01T00:00:00+00:00 · 32023-07-01T00:00:00+00:00 · 32023-08-01T00:00:00+00:00 · 12023-10-01T00:00:00+00:00 · 32023-11-01T00:00:00+00:00 · 42024-01-01T00:00:00+00:00 · 12024-02-01T00:00:00+00:00 · 1
2021-02-01T00:00:00+00:002024-02-01T00:00:00+00:00

Top countries

🇺🇸 United States
4
🇬🇧 United Kingdom
3
🇫🇷 France
1
🇦🇺 Australia
1
🇧🇪 Belgium
1
🇹🇼 Taiwan
1

Top sectors

Financial
1
Healthcare
1
Manufacturing
1
Energy
1
Finance
1

MITRE ATT&CK

11 techniques · 10 tactics

Tactics

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessLateral MovementCollectionExfiltrationImpact

Techniques

  • T1190Exploit Public-Facing Application
  • T1566Phishing
  • T1059Command and Scripting Interpreter
  • T1053Scheduled Task/Job
  • T1078Valid Accounts
  • T1027Obfuscated Files or Information
  • T1003OS Credential Dumping
  • T1021Remote Services
  • T1005Data from Local System
  • T1041Exfiltration Over C2 Channel
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

2 known
  • http://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion
  • http://cuba4mp6ximo2zlo.onion

Source

Updated 2 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Cuba posts a victim.

Add Cuba to your watchlist — Pro pings you within 5 minutes of any new Cuba leak-site post, Telegram callout, or affiliate-rebrand inference.