Cuba attacks DMS Imaging

Incident Date:

February 1, 2024

World map



Cuba attacks DMS Imaging


DMS Imaging




Gallargues Le Montueux, France

, France

First Reported

February 1, 2024

Cuba Ransomware Infiltrates France-Based DMS Imaging

Cuba ransomware infiltrated France-based DMS imaging. It’s unclear how CUBA managed to penetrate the digital radiology company. The attack appears to have led to critical data loss, but it remains unclear how DMS imaging will proceed. CUBA claims to have exfiltrated information about the victim’s client base, financial situation, confidential correspondence, balance sheets, and more.

Cuba Ransomware: An Overview

Cuba is a RaaS that first emerged in 2019, but activity did not really ramp up until 2022, and attacks have continued to steadily increase through 2023. Cuba is assessed to be Russian-operated and connected to threat actors RomCom and Industrial Spy. Cuba is effective but does not really stand out amongst threat actors – their operations are fairly generic, but they do have the ability to bypass multiple security solutions with relative ease.

Recent Activities and Tactics

In August, Cuba was observed targeting vulnerability for backup and disaster recovery offering Veeam (CVE-2023-27532). Cuba’s attack volume appears to have doubled in early 2023 over 2022 levels. Cuba operators have demanded some of the highest ransoms ever (in the tens of millions) but it is highly unlikely they have collected anywhere close to their outrageous demands.

Like most operators, Cuba relies on phishing, exploitable vulnerabilities, and compromised RDP credentials for ingress and lateral movement, and uses the symmetric encryption algorithm ChaCha20 appended with a public RSA key. Cuba leverages PowerShell, Mimikatz, SystemBC and the Cobalt Strike platform.

Enhancements in Cuba's Arsenal

Overall, Cuba is not the most sophisticated ransomware in the wild but appears to be effective, and they have been observed to be improving their toolset with the addition of a custom downloader dubbed BUGHATCH, a security-bypass tool called BURNTCIGAR that terminates processes at the kernel level, the Metasploit array and Cobalt Strike in addition to several LOLBINS including cmd.exe for lateral movement and ping.exe for reconnaissance.

Targeting and Extortion Strategies

Cuba selects victims on their ability to pay large ransom demands, targeting larger organizations in financial services, government, healthcare, critical infrastructure, and IT sectors. Cuba exfiltrates victim data for double-extortion and maintain a leaks site where they publish victim data if the ransom demand is not met. Cuba operators have a decent reputation as far as providing a decryption key to victims who pay the ransom demand.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.