Privacy Ninja

Cuba Ransomware Returns to Extorting Victims with Updated Encryptor

Cuba Ransomware Returns to Extorting Victims with Updated Encryptor

The Cuba ransomware operation has returned to regular operations with a new version of its malware found used in recent attacks.

Cuba ransomware’s activity reached a peak in 2021 when it partnered with the Hancitor malware gang for initial access. By the end of the year, it had breached 49 critical infrastructure organizations in the United States.

This year started less impressive for the ransomware gang, with few new victims. However, Mandiant spotted signs of tactical changes and experimentation that indicated the group is still active.

Now, Trend Micro analysts report seeing a resurgence in Cuba infections, starting in March and continuing strong until April 2022.

Also Read: The Difference Between GDPR And PDPA Under 10 Key Issues

Cuba listing a large firm in the automotive production industry
Cuba ransomware listing a large firm in the car production industry

Cuba has listed three victims in April and one in May on its Tor site. However, the attacks that resulted in the publication of these files likely unfolded earlier.

While these aren’t impressive figures compared to other ransomware operations, “Cuba” is generally more selective, hitting only large organizations.

New variant discovered

In late April, a new binary sampled by Trend Micro included minor additions and changes that make the malware more dangerous for targeted entities. More importantly, though, it shows that the operation is still alive and actively developing its encryptor.

While the updates to Cuba ransomware did not change much in terms of overall functionality, we have reason to believe that the updates aim to optimize its execution, minimize unintended system behavior, and provide technical support to the ransomware victims if they choose to negotiate. – Trend Micro

The malware now terminates more processes before encryption, including Outlook, MS Exchange, and MySQL. Ransomware encryptors terminate services to prevent those applications from locking files and preventing them from being encrypted.

Also Read: PDPA Compliance Singapore: 10 Areas To Work On

Malware's service termination
Malware’s service termination (Trend Micro)

Secondly, the exclusion list has been expanded with more directories and filetypes to be skipped during encryption. This helps maintain a working system after the attack and prevents execution loops that may result in corrupted files that can’t be restored, leaving victims with no incentive to pay for a decrypter.

Thirdly, the gang has updated its ransom notes, adding quTox for live victim support and stating that the threat actors will publish all stolen data on the Tor site if the demands aren’t met within three days.


The refinement of the Cuba ransomware variant can only mean that the group will continue to be a threat to organizations in the following months, mainly those located in North America.

Cuba ransomware remains secure at this time, so there’s no available decryptor that victims can use to recover their files for free.

Therefore, taking regular data backups, implementing network segmentation, and keeping all systems up to date would be the best approach to dealing with the threat.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us