Dive Brief:

• Cuba ransomware actors are still successfully targeting U.S. organizations in five critical infrastructure sectors, including financial services, government facilities, healthcare, critical manufacturing and IT, the FBI and Cybersecurity and Infrastructure Security Agency said Thursday in a joint advisory.
• The ransomware group and its affiliates more than doubled the number of organizations it hit between November 2021 and August 2022, bringing its total illicit haul to date to more than $60 million. 
• Cuba ransomware actors, which have no known connection to the Republic of Cuba, have compromised more than 100 organizations globally and demanded more than $145 million in ransom. 

Dive Insight:

Cuba ransomware actors are targeting U.S. organizations via known vulnerabilities in commercial software, phishing campaigns, compromised credentials and legitimate remote desktop protocol tools, the FBI and CISA said in the joint advisory.

“This year, Cuba ransomware actors have added to their [tactics, techniques and procedures], and third-party and open-source reports have identified a possible link between Cuba ransomware actors, RomCom Remote Access Trojan actors and Industrial Spy ransomware actors,” the federal agencies said.

CISA and the FBI updated indicators of compromise obtained during threat response investigations as of August to help organizations detect possible exploitation or compromise.

The ransom demands and payments linked to the Cuba ransomware group have doubled since the FBI called out the group and its activities in a previous advisory issued one year ago to the day.

Federal authorities, as of December 2021, attributed 49 victim organizations and almost $44 million in ransom payments to the group.