Cuba Ransomware Group Targets DiagnosTechs

Introduction to the Incident

Cuba ransomware group has added DiagnosTechs to their victim list. According to the group, the compromised files include financial documents, correspondence with bank employees, tax documents, etc. The victim's site displays a message saying "that our services are temporarily unavailable due to technical issues. Their dedicated team is actively addressing the problem to restore regular service as quickly as possible."

About DiagnosTechs

Founded in 1987, DiagnosTechs is a pioneer and leader in saliva-based testing. Our commitment to assisting healthcare professionals in restoring patients' health and wellness is unsurpassed with over 1.2 million specimens tested per year. Saliva testing is a powerful tool for evaluating stress, hormone-related disease and health conditions, especially over time. DiagnosTechs continually improves and refines its laboratory testing standards, using cutting-edge technology and methods. Many healthcare providers and their patients have chosen DiagnosTechs as their partner in wellness.

Overview of Cuba Ransomware

Cuba is a RaaS that first emerged in 2019, but activity did not really ramp up until 2022, and attacks have continued to steadily increase through the first half of 2023. Cuba is assessed to be Russian-operated and connected to threat actors RomCom and Industrial Spy. Cuba is effective but does not really stand out amongst threat actors – their operations are fairly generic, but they do have the ability to bypass multiple security solutions with relative ease. In August, Cuba was observed targeting vulnerability for backup and disaster recovery offering Veeam (CVE-2023-27532).

Attack Volume and Tactics

Cuba’s attack volume appears to have doubled in early 2023 over 2022 levels. Cuba operators have demanded some of the highest ransoms ever (in the tens of millions) but it is highly unlikely they have collected anywhere close to their outrageous demands. Like most operators, Cuba relies on phishing, exploitable vulnerabilities, and compromised RDP credentials for ingress and lateral movement, and uses the symmetric encryption algorithm ChaCha20 appended with a public RSA key. Cuba leverages PowerShell, Mimikatz, SystemBC and the Cobalt Strike platform.

Toolset and Victim Selection

Overall, Cuba is not the most sophisticated ransomware in the wild but appears to be effective, and they have been observed to be improving their toolset with the addition of a custom downloader dubbed BUGHATCH, a security-bypass tool called BURNTCIGAR that terminates processes at the kernel level, the Metasploit array and Cobalt Strike in addition to several LOLBINS including cmd.exe for lateral movement ping.exe for reconnaissance.

Cuba selects victims on their ability to pay large ransom demands, targeting larger organizations in financial services, government, healthcare, critical infrastructure, and IT sectors. Cuba exfiltrates victim data for double-extortion and maintain a leaks site where they publish victim data if the ransom demand is not met. Cuba operators have a decent reputation as far as providing a decryption key to victims who pay the ransom demand.