Microsoft Exchange servers targeted with Cuba ransomware

Ransomware
Image credit: Shutterstock (Image credit: Shutterstock)

The UNC2596 ransomware group, also known as Cuba, is abusing vulnerabilities found in Microsoft Exchange to compromise corporate endpoints, harvest data, and ultimately, deploy the COLDDRAW malware.

Cybersecurity experts from Mandiant caught on the ransomware group’s trail, saying it mostly hunts down companies in the United States and Canada. 

The experts’ report states the group has been using ProxyShell and ProxyLogon vulnerabilities at least since August 2021 to plant various web shells, Remote Access Trojans (RAT), and backdoors, on compromised systems. 

TechRadar needs you!

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

Among the backdoors used, CobaltStrike and NetSupport Manager seem to be the most popular choices, but they often use home-grown products, dubbed “Bughatch”, “Wedgecut”, “Burntcigar”, or “Eck”. Some of these are used as reconnaissance tools, others to terminate processes and escalate privileges.

The difference between UNC2596 and other ransomware groups out there, is that this group does not send exfiltrated data towards cloud services. Instead, they use private infrastructure. 

A growing ransomware actor

The Cuba ransomware group was reportedly formed in late 2019, and after a relatively slow start, picked up its pace in 2020 and 2021. In May 2021, the group teamed up with Hancitor malware spammers, successfully phishing out passwords for corporate networks with malicious DocuSign files. 

In late 2021, the FBI issued an advisory about the group which claimed the group breached 49 critical infrastructure organizations in the US (the Cuba leak website had fewer than 30 victims listed). Its operations earned it almost $44 million, the law enforcement agency added. However, it demanded $74 million. 

Despite the ransom demands, both unpaid and paid, being counted in double-digit millions, the group is relatively small, compared to some of the biggest players in the ransomware game. 

Cybersecurity researchers from Emsisoft, for example, said last year there had been 105 Cuba ransomware submissions, while Conti has had more than 600.

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.