Dive Brief:

• Threat actors behind the Cuba ransomware compromised at least 49 critical infrastructure organizations across the financial, government, healthcare, manufacturing, and information technology sectors, the FBI said in a flash security alert Friday. 
• The activity began "as early as November," and the actors have gained at least $43.9 million in ransom payments from the approximately $74 million they demanded. 
• The FBI wants organizations to share information, including "boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file," the alert said. 

Dive Insight:

Cuba installs a Cobalt Strike beacon through PowerShell, and uses MimiKatz for stealing credentials, the FBI said. "Once an RDP connection is complete, the Cuba ransomware actors use the CobaltStrike server to communicate with the compromised user account," the FBI said. 

Cuba spreads through the Hancitor malware, a loader for dropping remote access trojans or other ransomware types, according to the FBI. Hancitor levergates phishing, vulnerabilities in Microsoft Exchange, remote desktop protocol, or compromised credentials for access to a network.

Then "Cuba ransomware actors use legitimate Windows services — such as PowerShell, PsExec, and other unspecified services — and then leverage Windows Admin privileges to execute their ransomware and other processes remotely," the alert said. 

Agency leaders want organizations to know that it doesn't matter which agency — FBI, CISA, Secret Service — they contact first after an incident. Eventually, they all will know. Organizations are not required to go to law enforcement first in light of a ransomware incident. 

Reporting incidents to law enforcement provides agencies with "information needed to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under U.S. law," the alert said. 

The FBI has always recommended organizations avoid paying ransoms, despite the agency's recent success in recouping stolen funds. The law enforcement agency would like to see ransom payment recoveries become the norm, but significant resource gaps stand in the way. 

Law enforcement depends on cryptocurrency, computer scientists, blockchain analysts and crypto-tracers to retrieve ransoms and agencies need more technical capabilities to expand recovery efforts. 

The estimated $43.9 million stolen by Cuba actors is a small amount when compared to other large ransomware players. Cuba doesn't appear as a top offender on Ransomwhe.re.   

The Treasury Department found $590 million in ransomware-related activity in suspicious activity reports (SARs) in the first half of 2021. In 2020, the total amount in ransomware-related activity reached only $416 million for the entire year. The top 10 ransomware variants were attached to 177 unique convertible virtual currency wallet addresses "reflecting $1.56 billion in suspicious activity" in the last 10 years, the Financial Crimes Enforcement Network found. 

To prevent ransomware attacks by assessing more threat groups, law enforcement and DHS want more data sharing and the incident reporting rule included in the FY2022 National Defense Authorization Act (NDAA).