Skip to content

S0625 Cuba

Cuba is a Windows-based ransomware family that has been used against financial institutions, technology, and logistics organizations in North and South America as well as Europe since at least December 2019.1

Item Value
ID S0625
Associated Names
Version 1.0
Created 18 June 2021
Last Modified 12 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation Cuba has used SeDebugPrivilege and AdjustTokenPrivileges to elevate privileges.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Cuba has been dropped onto systems and used for lateral movement via obfuscated PowerShell scripts.1
enterprise T1059.003 Windows Command Shell Cuba has used cmd.exe /c and batch files for execution.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Cuba can modify services by using the OpenService and ChangeServiceConfig functions.1
enterprise T1486 Data Encrypted for Impact Cuba has the ability to encrypt system data and add the “.cuba” extension to encrypted files.1
enterprise T1083 File and Directory Discovery Cuba can enumerate files by using a variety of functions.1
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window Cuba has executed hidden PowerShell windows.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Cuba can use the command cmd.exe /c del to delete its artifacts from the system.1
enterprise T1105 Ingress Tool Transfer Cuba can download files from its C2 server.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Cuba logs keystrokes via polling by using GetKeyState and VkKeyScan functions.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Cuba has been disguised as legitimate 360 Total Security Antivirus and OpenVPN programs.1
enterprise T1106 Native API Cuba has used several built-in API functions for discovery like GetIpNetTable and NetShareEnum.1
enterprise T1135 Network Share Discovery Cuba can discover shared resources using the NetShareEnum API call.1
enterprise T1027 Obfuscated Files or Information Cuba has used multiple layers of obfuscation to avoid analysis, including its Base64 encoded payload.1
enterprise T1027.002 Software Packing Cuba has a packed payload when delivered.1
enterprise T1057 Process Discovery Cuba can enumerate processes running on a victim’s machine.1
enterprise T1620 Reflective Code Loading Cuba loaded the payload into memory using PowerShell.1
enterprise T1489 Service Stop Cuba has a hardcoded list of services and processes to terminate.1
enterprise T1082 System Information Discovery Cuba can enumerate local drives, disk type, and disk free space.1
enterprise T1614 System Location Discovery -
enterprise T1614.001 System Language Discovery Cuba can check if Russian language is installed on the infected machine by using the function GetKeyboardLayoutList.1
enterprise T1016 System Network Configuration Discovery Cuba can retrieve the ARP cache from the local system by using GetIpNetTable.1
enterprise T1049 System Network Connections Discovery Cuba can use the function GetIpNetTable to recover the last connections to the victim’s machine.1
enterprise T1007 System Service Discovery Cuba can query service status using QueryServiceStatusEx function.1