Attack Graph Response to US-CERT Alert (AA22-335A): #StopRansomware: Cuba Ransomware

AttackIQ has released a new fully featured attack graph that emulates the tactics, techniques, and procedures (TTPs) associated to attacks involving Cuba ransomware.This release is a follow-up to an FBI FLASH alert published in December 2021 that first detailed the initial attacks against 49 entities in critical infrastructure sectors. The Cuba ransomware actors have since doubled the number of U.S. victims and compromised over 100 entities worldwide. Read More

Targeted Sectors: Financial Services, Government Facilities, Healthcare and Public Health, Critical Manufacturing, and Information Technology


On December 1st, 2022, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint CSA (Cybersecurity Advisory) that expands their #StopRansomware efforts to help organizations protect themselves against Ransomware attacks.

The most recent alert disseminates known Cuba ransomware indicators of compromise (IOCs) and the tactics, techniques, and procedures (TTPs) observed during the attacks. This release is a follow-up to an FBI FLASH alert published in December 2021 that first detailed the initial attacks against 49 entities in critical infrastructure sectors. The Cuba ransomware actors have since doubled the number of U.S. victims and compromised over 100 entities worldwide. The FBI reports that the organization has received over $60 million in ransom payments.

According to the US-CERT Alert, Unit42, and McAfee report the adversary has primarily targeted the following sectors: Financial Services, Manufacturing, Technology, Transportation, Professional Services, Construction, Retail, Government, Energy, Resources & Utilities, Education, Life Sciences & Healthcare.

The Cuba ransomware operators, also known as Tropical Scorpius and UNC2596, have been observed distributing the ransomware through Hancitor, a shared information stealer and malware downloader usually delivered through malicious attachments. The actor has also been observed exploiting known vulnerabilities in Microsoft Exchange Servers, including ProxyShell and ProxyLogon.

AttackIQ has released a new attack graph emulating a realistic Cuba ransomware attack to help customers validate their security controls and their ability to defend against this threat actor and others who follow similar behaviors.

Validating your security program performance against this specific threat actor’s behaviors is vital in reducing risk. By using these new attack graphs in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Evaluate security control performance against malicious techniques currently in use by highly active ransomware operators.
  • Assess their security posture against an actor who pursues multiple tactical pathways to persistence and discovery.
  • Continuously validate detection and prevention pipelines beyond the initial access exploits.

Attack Graph: [US-CERT AA22-335A] #StopRansomware: Cuba Ransomware

The initial access methods of these attacks vary from victim to victim, so this attack graph starts with the delivery of the Hancitor malware. The attack graph moves through the installation of the kernel driver payloads, the execution of local and remote discovery commands, and the various methods used to gain additional credentials. It then transitions to emulating the behaviors observed in their ROMCOM malware family before finishing with a ransomware attack to encrypt user documents.

The first steps are the delivery of the Hancitor malware and ApcHelper kernel driver dropper. The actor creates a service for initial persistence and scans the host to determine what security software is installed.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious Hive ransomware samples.

Windows Service (T1543.003): Use the native sc command line tool to create a new service that will execute at reboot.

Security Software Discovery (T1518.001): A PowerShell script is executed to determine which software has been installed as an AntiVirusProduct class.

The actor begins their discovery phase by executing native system commands and third-party utilities like AdFind. The actor seeks to learn about the victim’s Active Directory domain and what additional hosts may be accessible from this initial entry vector. Mimikatz is used to dump credentials and a custom tool that helps facility the ZeroLogon attack is downloaded. Finally, they attempt to use the Pass the Hash technique to move laterally to other remote systems.

Account Discovery: Domain Account (T1087.002): The Adfind utility is used to discover details about the victim’s Active Directory configuration including accounts, groups, computers, and subnets.

Remote System Discovery (T1018): Nmap is used to scan the local network searching for any remotely accessible systems.

Account Discovery: Local Account (T1087.001): The native net user command is executed to get a list of local accounts.

Pass the Hash (T1550.002): Using Mimikatz the actors can dump hashes from LSASS memory, and they can be used to authenticate via NTLM to other enterprise resources.

The actor brings down a custom malware family known as ROMCOM that is delivered as a DLL file. The malware is executed by calling one of the library’s exports while using Scheduled Tasks to act as persistence and command orchestration. System and disk drive information is collected before the initial command and control beacons start. The malware then collects running process and software that is currently installed from the registry.

System Binary Proxy Execution: Rundll32 (T1218.011): Rundll32.exe is used to execute a DLL file by specifying a specific export to call once it’s opened.

Scheduled Task (T1053.005): The Windows Task Scheduler is used to create a task that will execute a command at startup.

System Information Discovery (T1082): The native hostname and systeminfo commands are used to get the infected host’s computer name and basic details about the system.

Application Layer Protocol: Web Protocols (T1071.001): ROMCOM uses HTTP for command-and-control traffic. This scenario makes the initial HTTP POST request to an AttackIQ controlled server emulating the exact web request made by a true ROMCOM infection.

Non-Application Layer Protocol (T1095): If the HTTP command-and-control is unsuccessful, ROMCOM will use an alternative of ICMP to send system information and register with the command and control server.

File and Directory Discovery (T1083): This scenario uses the traditional dir command to find files of interest and output to a temporary file.

Process Discovery (T1057): Windows’ built-in tasklist command is executed and the results are saved to a file in a temporary location.

Software Discovery (T1518): A registry key containing entries for all the software installed on the victim asset. Reg.exe is used to access

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall.

The final stages of the attack involve downloading and executing Cuba ransomware. The system language is identified, and system information recollected. Files of interest are searched for, and services are checked to see if any security tools are running. Network shares are collected and finally the encryption process begins.

Access Token Manipulation: Parent PID Spoofing (T1134.004): This scenario calls the CreateProcess Windows API which allows it to specify which parent process should be responsible for this new process. Actors leverage this technique to make their malware appear to be executed as a normal process under legitimate Microsoft processes.

System Language Discovery (T1614.001): The Windows API function GetSystemDefaultUILanguage is called to retrieve the language code of the system’s default language pack.

System Service Discovery (T1007): Microsoft’s native sc utility is executed to query a list of all running services.

System Network Configuration Discovery (T1016): Native Window’s commands like route, ipconfig, and net useare executed to collect details about the infected host and network shares.

Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using the same encryption algorithms observed in Cuba ransomware.

Detection and Mitigation Opportunities

With so many different techniques being used by threat actors, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Scheduled Task/Job: Scheduled Task (T1053.005)

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for the initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly from the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.

1a. Detection

With an EDR or SIEM Platform, you can detect the following commands being issued to schedule a malicious task

Process Name = (“cmd.exe” OR “Powershell.exe”)
Command Line CONTAINS (“schtasks” AND “/CREATE” AND (“cmd” OR “powershell”)

1b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Scheduled Task/Job: Scheduled Task (T1053.005):

2. Create or Modify System Process: Windows Service (T1543.003 )

Actors can create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.

2a. Detection

Using an EDR or SIEM product, you can create detections to alert when a possibly malicious service has been created due to adversarial behavior.

Process Name = (“cmd.exe” OR “powershell.exe”)
Command Line CONTAINS (“sc” AND “Create”)

2b. Mitigations

MITRE gives the following mitigations for Create or Modify System Process: Windows Service (T1543.003 ):

3. Credentials from Password Stores: Windows Credential Manager (T1555.004):

Adversaries acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).

3a. Detection

With an EDR or SIEM Platform, you can detect the following commands being issued to run Mimikatz.exe on an endpoint:

Process Name == (“cmd.exe” OR “Powershell.exe”)
Command Line CONTAINS (“sekurlsa::logonpasswords”)

3b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Credentials from Password Stores: Windows Credential Manager (T1555.004):

Wrap-up

In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against an actor who uses both native system tools and their own bespoke malware. With data generated from continuous testing and use of this attack graph, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our co-managed security service, AttackIQ Vanguard.