The Cuba Ransomware Gang's Attack on Rock County Public Health Department

The Cuba ransomware gang has attacked the Rock County Public Health Department. The Rock County Health Department is a local government agency responsible for overseeing public health initiatives and services in Rock County, Wisconsin. According to Josh Smith, County Administrator, some of the health departments were taken offline immediately following the attack. Cuba ransomware posted Rock County Health Department to its data leak site on October 3rd but provided no further details.

The Rise of Cuba Ransomware

The ransomware known as "Cuba," also referred to as "Fidel," was initially identified in late 2019 and gained significant prominence in the year 2022. Throughout this period, Cuba had an increasingly substantial impact, affecting hundreds of victims. In 2022 alone, this ransomware group managed to amass over $60 million in ransom payments. This significant financial activity prompted both the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) to issue flash alerts regarding the threat posed by Cuba ransomware.

Interestingly, the official website of Cuba ransomware operates on the Tor network, often referred to as the ".onion" domain. The website features a thematic design with Cuban nationalist elements, even though intelligence suggests that the group's origins are likely Russian. This is further evidenced by the presence of typical Russian spelling errors in their communications.

Associations and Techniques

It is worth noting that Cuba ransomware has associations with other threat actors, namely RomCom and Industrial Spy, which, although relatively small in number, have demonstrated a disproportionately high impact on their targets. Cuba ransomware distinguishes itself by employing conventional software packing techniques, which are considered less sophisticated compared to the tactics used by state-sponsored malware. This suggests that Cuba is likely the creation of a skilled but profit-driven group, rather than a government-backed entity. In this context, "packing" refers to the compression of software and its essential libraries into a single binary executable, making it challenging to reverse-engineer or detect by antivirus software.

Targeting and Extortion Tactics

Cuba ransomware adopts a selective approach to its targets, following a strategy known as "big game hunting." This strategy involves targeting a few prominent organizations operating in sectors such as financial services, government, healthcare, critical infrastructure, and IT. Reports indicate that Cuba ransomware operators typically deliver a decryption tool to victims who pay the ransom. However, they also utilize a double-extortion tactic, meaning they threaten to release stolen data and documents from victims who refuse to comply with their ransom demands.