The Cuba ransomware gang extorted more than $60 million in ransom payments from victims between December 2021 and August 2022, a joint advisory from CISA and the FBI has warned.
The latest advisory is a follow-up to a flash alert released by the FBI in December 2021, which revealed that the gang had earned close to $44 million in ransom payments after attacks on more than 49 entities in five critical infrastructure sectors in the United States. Since, the Cuba ransomware gang has brought in an additional $60 million from attacks against 100 organizations globally, almost half of the $145 million it demanded in ransom payments from these victims.
“Since the release of the December 2021 FBI Flash, the number of U.S. entities compromised by Cuba ransomware has doubled, with ransoms demanded and paid on the increase,” the two federal agencies said on Thursday.
Cuba ransomware actors, which have been active since 2019, continue to target U.S. entities in critical infrastructure, including financial services, government facilities, healthcare and public health, critical manufacturing and information technology.
In August this year, the gang was linked to a ransomware attack targeting the nation state of Montenegro that targeted government systems and other critical infrastructure and utilities, including electricity, water systems and transportation. At the time of the attack, the Cuba ransomware gang claimed it had obtained “financial documents, correspondence with bank employees, account movements, balance sheets, tax documents, compensation [and] source code” from Montenegro’s parliament.
Cuba was also linked to a breach of California’s Department of Motor Vehicles in April this year, which saw the attackers compromise California vehicle registration records that contain names, addresses, license plate numbers and vehicle identification numbers.
FBI and CISA added that the ransomware gang has modified its tactics, techniques and procedures since the start of the year and has been linked to the RomCom malware, a custom remote access trojan for command and control, and the Industrial Spy ransomware.
The advisory notes that the group — which cybersecurity company Profero previously linked to Russian-speaking hackers — typically extorts victims by threatening to leak stolen data. While this data was typically leaked on Cuba’s dark web leak site, it began selling stolen data on Industrial Spy’s online market in May this year.
CISA and the FBI are urging at-risk organizations to prioritize patching known exploited vulnerabilities, to train employees to spot and report phishing attacks and to enable and enforce phishing-resistant multi-factor authentication.
The release of CISA and the FBI’s advisory comes as the Cuba ransomware gang continues to list new victims on its website. The most recent additions include Generator Power, a U.K.-based generator hire company, and German media monitoring firm Landau Media.