Skip to content
Ransomware group

Cuba

Cuba Ransomware is a financially motivated ransomware and extortion operation active since at least 2019 that has targeted organizations in North America and Europe, including retailers, manufacturers, and other enterprises.

Profile source: Mallory opens in a new tab

Cuba

Family profile

Cuba Ransomware is a financially motivated ransomware and extortion operation active since at least 2019 that has targeted organizations in North America and Europe, including retailers, manufacturers, and other enterprises. The group is known for combining data theft with ransomware deployment and using leak-site pressure to extort victims. Cuba has also been linked to attacks against backup and recovery infrastructure, including exploitation of Veeam Backup & Replication vulnerabilities, reflecting an interest in disrupting restoration and increasing leverage over victims.

The operation commonly relies on a multi-stage intrusion chain using commodity and dual-use tooling. Reported tooling associated with Cuba intrusions includes Cobalt Strike, SystemBC, Meterpreter, Mimikatz, PsExec, PowerShell-based loaders, and legitimate remote administration software such as GoToAssist and NetSupport Manager. Cuba activity has also been associated with BUGHATCH and with malware delivery ecosystems such as Hancitor, which in some cases delivered Cobalt Strike followed by Cuba ransomware. The group has used loaders and in-memory execution techniques, including PowerShell-based payload loading, to reduce on-disk visibility.

Cuba’s tradecraft includes exploitation of public-facing services, credential theft, privilege escalation, lateral movement, and defense evasion prior to encryption. Observed behaviors include enabling remote access, creating hidden local accounts, abusing LOLBAS utilities, and deleting artifacts to hinder forensic recovery. Cuba operators have also used masquerading techniques, including disguising malware as legitimate security or VPN software.

A notable aspect of the group’s capability is its use of Bring Your Own Vulnerable Driver techniques to disable security products. Cuba has been linked to the BURNTCIGAR/POORTRY malicious driver family and associated loaders such as STONESTOP, which have been used to terminate or impair endpoint protection and EDR tooling. Reporting has tied Cuba to the broader ecosystem of ransomware actors using signed vulnerable or malicious kernel drivers for defense evasion.

Cuba is generally tracked as a cybercriminal ransomware actor rather than a confirmed state-sponsored intrusion set. However, some reporting has noted activity associated with the Cuba intrusion set that appeared espionage-related, including phishing campaigns affecting defense and government entities in Europe and North America. That overlap has led to some uncertainty around whether all activity attributed to Cuba reflects a single purely financially motivated cluster, a mixed-motive intrusion set, or partially overlapping operators. High-confidence reporting consistently supports Cuba’s role as a ransomware and extortion actor.

Known aliases include Cuba, Cuba ransomware, Cuba ransomware actors, and Cuba ransomware gang.

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • Mimikatz

Defense Evasion

  • Avast Anti-Rootkit driver

LOLBAS

  • PsExec

Networking

  • Termite

Offsec

  • Cobalt Strike
  • Meterpreter

RMM Tools

  • NetSupport

MITRE ATT&CK

Cuba in ATT&CK

23 distinct techniques

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.