Kaspersky has uncovered new iterations of the Cuba ransomware group's Burntcigar malware that uses encrypted data to evade antivirus detection, according to a prepared statement.
The company found these iterations on VirusTotal and noted that some of them managed to evade detection by other security vendors.
What Is Burntcigar Malware?
Burntcigar exploits I/O control codes used for communicating with drivers, Kaspersky indicated. By doing so, Burntcigar lets attackers terminate kernel-level processes.
In addition to Burntcigar, the Cuba ransomware group utilizes the Bughatch backdoor for cyberattacks, Kaspersky noted. Bughatch involves the use of the Windows API to execute an embedded block of shellcode within memory space allocated to it. It then connects to a command-and-control (C2) server and can receive commands to download software.
A Closer Look at the Cuba Ransomware Group
Cuba refers to a single-file ransomware strain, according to Kaspersky. This strain is difficult to detect due to the fact that it works without the need for additional libraries.
The Cuba ransomware group targets organizations across many industries, including:
- Finance
- Government
- Logistics
- Manufacturing
- Retail
To date, the group has attacked organizations in North America, Europe, Oceania and Asia, Kaspersky said. The group uses both public and proprietary tools during its attacks. It also regularly updates its toolkit and utilizes tactics like bring your own vulnerable driver (BYOVD).
Cuba Ransomware Group Alters Compilation Timestamps to Mislead Investigators
Some samples of Cuba ransomware group attacks found in 2020 had a compilation date of June 4, 2020, Kaspersky indicated. Meanwhile, the timestamps on attacks discovered after this date were displayed as originating from June 19, 1992.
Along with altering timestamps, the Cuba group tailors its attacks to extract financial documents, bank records, company accounts, source code and other sensitive data. The group also remains dynamic and is constantly refining its techniques, Kaspersky pointed out.
How to Protect Against Cuba Ransomware Group Attacks
Kaspersky offers the following tips to help organizations guard against Cuba ransomware group attacks:
- Keep software up to date.
- Develop a defense strategy focused on detecting lateral movement and data exfiltration to the internet.
- Set up offline backups that can be accessed as needed.
- Deploy ransomware protection across all endpoints.
- Install solutions for advanced persistent threats (APT) and endpoint detection and response (EDR).
- Utilize threat intelligence to stay informed about emerging threats.
Also, Kaspersky is providing free access to its Threat Intelligence Resource Hub, which offers independent, continuously updated and globally sourced information about cyberattacks and threats.
