cuba-ransomware-group

Cuba Ransomware Group

also known as: Tropical Scorpius UNC2596 COLDDRAW TA2101 (partial) STORM-0216

A Russia-based ransomware operation that uses Cuban Revolution iconography despite having no connection to Cuba — first active as Tropical Scorpius in 2019, later adopting the Cuba branding. Distinguished by technical depth: operators developed custom kernel drivers signed with NVIDIA's leaked code-signing certificate to disable endpoint security products, a level of anti-defense engineering rarely seen in ransomware operations. The group's custom RomCom RAT, bespoke privilege escalation tooling, and exploitation of Windows internals place it in a technically sophisticated tier within the ransomware ecosystem.

attributed origin Russia (assessed)

suspected sponsor None — financially motivated

first observed December 2019

primary motivation Financial — double extortion ransomware

primary targets Critical Infrastructure, Finance, Government, Healthcare, IT

confirmed victims 100+ (as of Aug 2022)

ransom demanded $145M+ demanded / $60M+ received

target regions US (primary), Europe, Asia

threat level High

Overview

Cuba Ransomware Group — tracked by Palo Alto Networks as Tropical Scorpius and by Mandiant as UNC2596 — is a financially motivated ransomware operation assessed with high confidence as Russia-based. Despite the branding, the FBI and CISA have explicitly noted there is no evidence of any connection or affiliation with the Republic of Cuba. The Cuban Revolutionary iconography and naming appear to be deliberately misleading, a common obfuscation tactic in Eastern European cybercriminal operations.

The group surfaced in December 2019 and operated quietly until November 2021, when an FBI Flash alert documented its activity against US critical infrastructure. The group reemerged with significantly evolved capabilities in 2022: Unit 42 documented Tropical Scorpius deploying a previously unknown remote access trojan (RomCom RAT), a custom Kerberos credential tool (KerberCache), and a kernel-level driver (ApcHelper.sys) signed using a code-signing certificate stolen from NVIDIA in the LAPSUS$ breach. The kernel driver specifically targeted and terminated endpoint security products — a capability that requires deep Windows internals knowledge and distinguishes Cuba from opportunistic ransomware operations.

Cuba operates double extortion: data is exfiltrated before encryption, with stolen data published on a Tor-hosted leak site for non-paying victims. The group has also been linked to Industrial Spy, a dark web data extortion marketplace used to sell some stolen data to interested parties rather than simply publishing it publicly — an additional monetization layer beyond standard double extortion. By August 2022, the FBI documented that Cuba had compromised 101 entities (65 in the US, 36 international), demanded $145 million in ransom, and received $60 million in payments.

CISA / FBI advisory — december 2022

CISA and the FBI issued a joint #StopRansomware advisory (AA22-335A) in December 2022 specifically warning about Cuba ransomware targeting five US critical infrastructure sectors: financial services, government facilities, healthcare and public health, critical manufacturing, and information technology. The advisory documented that Cuba's US victim count had doubled since the December 2021 FBI Flash, and flagged new TTPs including the NVIDIA-signed kernel driver, CVE-2022-24521 exploitation, and RomCom RAT deployment. Organizations in these sectors should treat this advisory as a standing threat reference.

Target Profile

Cuba's targeting is concentrated heavily in the United States — approximately 65% of confirmed victims are US-based — with a particular focus on organizations in five critical infrastructure sectors identified by the FBI.

Financial services: Banks, financial institutions, and payment processors are a consistent priority. Financial data carries high sensitivity for regulatory exposure and reputational damage, making it effective double extortion leverage regardless of whether victims pay for decryption.
Government facilities: US government entities at federal, state, and local levels have been targeted. The September 2022 Montenegro attack — affecting 150 workstations across ten government institutions — demonstrated the group's willingness to target national government infrastructure outside the US as well.
Healthcare and public health: Healthcare organizations were specifically called out in the CISA/FBI advisory as priority targets. The group has also been linked to deploying Industrial Spy ransomware against a foreign healthcare company, indicating willingness to use multiple ransomware strains against high-value healthcare targets.
Critical manufacturing: Manufacturing organizations with proprietary designs and production systems provide both financial ransom leverage and valuable intellectual property for the data exfiltration component of double extortion.
Information technology: IT companies and MSPs carry client network access that can be leveraged beyond the initial victim. IT sector targeting reflects Cuba's understanding of the multiplier effect of compromising technology infrastructure providers.
Oil companies and energy: Kaspersky documented Cuba targeting oil companies alongside its government and healthcare focus, reflecting opportunistic expansion into any sector with high-value data and the ability to pay significant ransoms.
Ukraine (geopolitical targeting): In October 2022, CERT-UA documented Cuba targeting Ukrainian entities with phishing emails impersonating the Ukrainian armed services, delivering RomCom RAT. This targeting aligns with Russian interests and raises questions about the extent to which Cuba may accept intelligence-adjacent tasking alongside financial operations.

Tactics, Techniques & Procedures

Cuba's technical depth distinguishes it within the ransomware ecosystem. The combination of kernel-level security product termination, custom RAT development, and weaponized privilege escalation exploits reflects sustained investment in anti-detection capabilities beyond typical RaaS operations.

mitre id	technique	description
T1566.001	Spear-Phishing / Hancitor Delivery	Initial delivery has historically used Hancitor (also known as Chanitor), a malware loader distributed via phishing emails with malicious document attachments. Hancitor drops Cuba ransomware alongside RATs and stealers onto victim networks. Cuba also uses phishing campaigns with targeted social engineering, including the October 2022 Ukrainian military-themed lures delivering RomCom via a trojanized PDF Reader installer.
T1190	Exploit Public-Facing Application	Cuba has actively exploited Microsoft Exchange Server vulnerabilities including ProxyShell and ProxyLogon for initial network access. In early 2023, the group was observed exploiting CVE-2022-41080 (related to ProxyNotShell). The group also exploited Veeam Backup and Replication vulnerability CVE-2023-27532 to access stored credentials and potentially disable recovery capabilities.
T1543.003	Kernel Driver — ApcHelper.sys	Cuba's most technically distinctive capability. A dropper deploys ApcHelper.sys — a custom kernel driver — to the file system and creates a service to run it. The kernel driver terminates targeted security product processes including Sophos, ALsvc, HMPAlert, McsAgent, SAVAdminService, and others. Critically, while the dropper is unsigned, the kernel driver itself was signed using the RSA-SHA1 code-signing certificate stolen from NVIDIA in the LAPSUS$ breach — granting it driver-signing trust and bypassing standard driver loading restrictions.
T1068	Privilege Escalation — CVE-2022-24521	Cuba exploited CVE-2022-24521, a logic bug in the Windows Common Log File System (CLFS) driver, to steal System tokens and escalate privileges to SYSTEM. PowerShell's Invoke-WebRequest downloaded the exploit binary from tmpfiles[.]org. A ZeroLogon exploitation tool (CVE-2020-1472) was also observed being used by Tropical Scorpius to achieve domain administrator privileges in some intrusions.
T1557	Kerberoasting — KerberCache	Cuba developed a custom Kerberos tool tracked as KerberCache that enumerates service accounts (via GetUserSPNs.ps1 execution), collects Kerberos tickets, and enables offline cracking to obtain service account credentials. This provides an additional credential harvesting path alongside standard LSASS dumping via Mimikatz, targeting accounts worth escalating based on their service account privileges.
T1219	RomCom RAT — Custom C2	RomCom (also written ROMCOM) is a custom RAT developed by the Tropical Scorpius operators and deployed as the final C2 stage following lateral movement. Capabilities include: reverse shell, arbitrary file deletion, file upload to remote servers, harvesting running process lists, capturing screenshots via a Screenshooter plugin, and listing installed applications. Version 2 (observed June 2022) expanded the command set from 10 to 22 commands. Original C2 communications used ICMP requests through Windows API functions.
T1003.001	LSASS Memory Dumping	Cuba operators dump credentials from LSASS memory using Mimikatz, providing domain credentials for lateral movement. Combined with KerberCache service account enumeration and ZeroLogon exploitation in some campaigns, the group employs multiple credential acquisition paths to maximize lateral movement options within compromised networks.
T1657	Double Extortion / Data Exfiltration	Data is exfiltrated before encryption using Impacket, Cobalt Strike, and FTP-based tooling. Exfiltrated data is published on a Tor-hosted leak site for victims who decline to pay. Uniquely, Cuba also partnered with Industrial Spy — a dark web data marketplace — to sell exfiltrated data to interested third parties, providing a monetization option beyond standard public data leaking.
T1486	File Encryption — Salsa20 / RSA	Cuba ransomware uses Salsa20 for file encryption and RSA to encrypt the Salsa key, preventing decryption without the private key. Encrypted files have the .cuba extension appended. The ransomware checks for a FIDEL.CA file marker to avoid re-encrypting already-encrypted files. Ransom notes direct victims to a Tor-based payment portal. Critical system files are excluded to keep systems bootable.
T1562.001	BURNTCIGAR — Anti-Malware Evasion	Cuba developed BURNTCIGAR, a custom utility that terminates anti-malware processes on the endpoint. Combined with ApcHelper.sys kernel-level security product termination, the group maintains multiple defense evasion layers. BURNTCIGAR has been observed receiving updates including hashing functionality modifications — indicating active ongoing development rather than static tooling.

Known Campaigns

Selected high-significance operations across Cuba's documented operational history, illustrating the group's escalating technical sophistication and geographic expansion.

Initial US Critical Infrastructure Targeting 2019–2021

Cuba ransomware first appeared in December 2019 under the Tropical Scorpius name, operating quietly through the Hancitor loader delivered via phishing emails. The group targeted financial services, government facilities, healthcare, critical manufacturing, and IT organizations in the United States. By the time the FBI issued its December 2021 Flash advisory, Cuba had compromised 60 entities and collected at least $43.9 million in ransom payments — a significant haul for a group that had attracted little public attention during this period. Initial access methods during this phase included Hancitor-distributed phishing, compromised RDP credentials, and exploitation of exposed remote access infrastructure.

Tropical Scorpius TTP Evolution — NVIDIA Driver and RomCom 2022

Beginning in May 2022, Unit 42 documented a significant evolution in Tropical Scorpius capabilities. The group deployed ApcHelper.sys — a kernel driver signed with NVIDIA's code-signing certificate stolen in the LAPSUS$ breach — to terminate endpoint security products at the kernel level before ransomware deployment. The group also introduced RomCom RAT, KerberCache for Kerberos ticket harvesting, and weaponized exploitation of CVE-2022-24521 in the Windows CLFS driver for privilege escalation to SYSTEM. This TTP evolution prompted the December 2022 CISA/FBI joint advisory documenting that the US victim count had doubled and ransom demands had grown to $145 million.

Montenegro Government Attack 2022

In September 2022, the Montenegrin government confirmed a Cuba ransomware attack affecting 150 workstations across ten government institutions. Cuba confirmed the breach on their leak site, claiming to have exfiltrated financial documents, correspondence, account details, balance sheets, and tax documents. The attack struck Montenegro's national government IT infrastructure and demonstrated the group's willingness to conduct high-profile attacks against European government targets — significant given Montenegro's NATO membership and the geopolitical context of the attack period.

Ukraine Targeting — RomCom Phishing Campaign 2022

In October 2022, Ukraine's CERT-UA published a warning about Cuba ransomware targeting Ukrainian organizations via phishing emails impersonating the Ukrainian armed services. The lure emails contained links redirecting to a malicious website hosting a trojanized PDF Reader installer. When downloaded and executed, this installer decoded and ran RomCom malware. Research noted that Cuba ransomware attacks on Ukraine were assessed as financially motivated rather than coordinated with Russia's military campaign — though the targeting of Ukrainian entities during active conflict inherently aligns with Russian strategic interests regardless of stated motivation.

Exchange ProxyNotShell Exploitation 2023

In early 2023, Cuba was observed exploiting CVE-2022-41080, a Microsoft Exchange Server vulnerability related to the ProxyNotShell vulnerability chain, for initial access to target networks. This followed the group's earlier exploitation of ProxyShell and ProxyLogon, indicating a sustained focus on Exchange Server exploitation as an initial access pathway. The group also exploited CVE-2023-27532 in Veeam Backup and Replication — specifically targeting backup infrastructure both to access stored credentials and to hinder recovery efforts, a technique shared with other sophisticated ransomware operators.

Philadelphia Inquirer Attack 2023

Cuba claimed responsibility for a May 2023 ransomware attack against the Philadelphia Inquirer, one of the oldest and largest US metropolitan newspapers. The attack caused significant disruption to the newspaper's printing and distribution operations. The Inquirer disputed some aspects of Cuba's leak site claims, but the attack confirmed Cuba's continued active targeting of US organizations beyond traditional critical infrastructure sectors, expanding into media and communications.

Tools & Malware

Cuba maintains a layered toolset combining custom-developed capabilities with commodity tools, demonstrating a level of proprietary malware investment unusual in the ransomware space.

Cuba ransomware (COLDDRAW): The core ransomware payload written in C++. Uses Salsa20 symmetric encryption for file content and RSA for Salsa key protection. Checks the FIDEL.CA file marker to avoid re-encrypting already-processed files. Appends the .cuba extension to encrypted files and drops a ransom note directing victims to a Tor payment portal. Excludes critical system files to keep the host operational.
RomCom RAT: A custom remote access trojan developed by Tropical Scorpius operators. Provides C2 capability including reverse shell, file deletion, file upload, process enumeration, screenshot capture (via a Screenshooter plugin), and installed application listing. C2 communications use ICMP requests via Windows API functions. Version 2 expanded from 10 to 22 commands and added payload fetching capability. Under active development at the time of initial Unit 42 disclosure.
ApcHelper.sys: A custom kernel driver dropped by an unsigned dropper that creates a Windows service to load it. Terminates targeted endpoint security processes at the kernel level — bypassing standard userspace detection and removal. Signed using the RSA-SHA1 code-signing certificate stolen from NVIDIA during the LAPSUS$ breach, enabling it to pass Windows Driver Signature Enforcement checks.
BURNTCIGAR: A custom anti-malware evasion utility that terminates security product processes in userspace, complementing ApcHelper.sys's kernel-level approach. Has received ongoing updates including added hashing functionality, indicating continued development post-initial-deployment.
BUGHATCH: A downloader/backdoor deployed post-initial-compromise to download and execute additional payloads. Used alongside the Termite in-memory dropper to deploy tools without writing them to disk, reducing forensic artifacts.
KerberCache: A custom Kerberos credential tool that enumerates user accounts used as service accounts, collects their Kerberos tickets, and stages them for offline cracking. Works alongside PowerShell's GetUserSPNs.ps1 script to identify and prioritize high-value service accounts for credential attacks.
Hancitor (Chanitor): A third-party loader historically used for initial Cuba ransomware delivery. Distributed via phishing emails, Hancitor drops additional malware payloads — including RATs and ransomware — onto victim networks. Cuba's early campaigns were substantially dependent on Hancitor for initial access, though the group has since diversified initial access methods.
Cobalt Strike / Impacket / Meterpreter: Standard post-exploitation frameworks used for lateral movement, C2, and data exfiltration staging. Cuba uses its own Cobalt Strike infrastructure configured with custom network profiles and communicates via PROXYHTA for additional C2 obfuscation.

Indicators of Compromise

Behavioral and structural indicators from CISA/FBI advisory AA22-335A and Unit 42 research. Cuba is active — cross-reference with current threat intelligence feeds for latest infrastructure IOCs.

warning

Cuba is an active threat. C2 domains and IPs rotate with each campaign. Behavioral indicators below are more durable than network IOCs — implement detection for these patterns rather than relying on domain or IP blocklists. Consult CISA advisory AA22-335A STIX file for full machine-readable IOC sets from the 2022 advisory period.

indicators of compromise — behavioral and structural

file ApcHelper.sys — kernel driver; NVIDIA LAPSUS$ certificate signature

behavior Service creation for kernel driver → security product process termination

behavior PowerShell Invoke-WebRequest to tmpfiles[.]org — CVE-2022-24521 binary download

behavior GetUserSPNs.ps1 execution — Kerberos service account enumeration

ransom note !! README !!.txt — Tor onion URL for payment negotiation portal

file marker FIDEL.CA — prepended to encrypted files to prevent re-encryption

extension .cuba — appended to encrypted files post-encryption

c2 protocol RomCom RAT: ICMP-based C2 via Windows API; PROXYHTA for Cobalt Strike C2 obfuscation

vulnerability CVE-2022-24521 (CLFS privilege escalation), CVE-2020-1472 (ZeroLogon), CVE-2023-27532 (Veeam)

Mitigation & Defense

Cuba's kernel-level defense evasion and custom toolchain require layered defenses that go beyond signature-based detection. The CISA/FBI advisory provides specific guidance for critical infrastructure organizations.

Patch Exchange Server and Veeam immediately: Cuba has actively exploited ProxyShell, ProxyLogon, CVE-2022-41080 (ProxyNotShell-adjacent), and CVE-2023-27532 in Veeam. Exchange vulnerabilities have been among the most exploited ransomware entry points industry-wide. Ensure all Exchange patches are current and Veeam is updated. Veeam patches are especially critical since targeting backup infrastructure is a deliberate recovery-prevention tactic.
Driver and kernel integrity monitoring: ApcHelper.sys uses a legitimate-appearing NVIDIA signature to load at kernel level. Implement Kernel DMA Protection, Windows Defender Credential Guard, and HVCI (Hypervisor-Protected Code Integrity) where available — these controls limit the ability of signed-but-malicious kernel drivers to execute. Monitor for new service creation events (Event ID 7045) and unexpected driver loading, particularly from non-standard paths.
Block or monitor certificate-based driver trust: The LAPSUS$-stolen NVIDIA certificate is known-compromised. Security vendors have added it to revocation lists, but ensure your endpoint protection has the most current certificate revocation data. Monitor for drivers signed by the specific certificate thumbprint identified in CISA advisory AA22-335A.
Patch CVE-2022-24521 and ZeroLogon: Both vulnerabilities are in Cuba's documented exploit kit. CVE-2022-24521 was patched in April 2022 and CVE-2020-1472 (ZeroLogon) in August 2020 — any unpatched system with either vulnerability is at direct risk from Cuba's privilege escalation chain. ZeroLogon in particular is a domain-controller-level vulnerability requiring immediate patch priority.
Hancitor email gateway controls: Cuba's historical delivery vector via Hancitor relies on phishing with Office macros. Disable macros from internet-originated documents, enforce Attack Surface Reduction rules targeting Office macro execution, and implement sandbox-based email attachment analysis.
Monitor for Kerberoasting activity: KerberCache's service account enumeration is detectable via Windows Event ID 4769 (Kerberos Service Ticket Request) with unusual RC4 encryption type (0x17) from service accounts that are not regularly requesting tickets. Alert on GetUserSPNs.ps1 execution from non-administrative workstations.
Network-segment backup infrastructure: Cuba has exploited Veeam specifically to access stored credentials and disable backup capabilities. Backup systems must be on isolated network segments with no trust from production domain accounts. Immutable or air-gapped backup copies are the only reliable recovery mechanism against groups that specifically target backup infrastructure.
RDP hardening and monitoring: Cuba uses compromised RDP credentials for initial access and lateral movement. Enforce MFA on all RDP, restrict RDP to specific source IPs via firewall policy, and monitor for RDP authentication anomalies including off-hours access, credential stuffing patterns, and geographically inconsistent logins.

analyst note

Cuba's use of a kernel driver signed with a certificate from the NVIDIA LAPSUS$ breach is the defining technical characteristic of this group — it reflects a level of operational sophistication and supply chain awareness that sets them apart from standard RaaS operators. Most ransomware groups use commercial frameworks and commodity exploits; Cuba developed custom tools targeting Windows internals specifically to neutralize endpoint security before encryption. The Ukraine targeting in October 2022 — alongside a broader pattern of Russian-origin ransomware groups that avoid CIS-language targets — raises the standing question of whether Cuba accepts intelligence-aligned tasking on an opportunistic basis. Unit 42 has noted the exact nature of any relationship with the Russian government remains unknown. The group has since expanded into Industrial Spy, Underground, and Trigona ransomware families, indicating continued active operations beyond the Cuba brand alone.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile