New research reveals Cuba ransomware group’s undetectable malware
This group has been upgrading its malware to avoid detection and keep targeting organisations around the world and across a range of industries.
Security researchers at Kaspersky published new research exposing the notorious Cuba ransomware group.
The ransomware group has used the Komar65 library, also known as BUGHATCH, as a sophisticated backdoor that operates in process memory and connects to a command-and-control (C2) server. The malware’s capabilities have been enhanced with additional modules, one of which is responsible for collecting system information and sending it to a server via HTTP POST requests.
In addition, researchers have discovered a new malware sample on VirusTotal attributed to Cuba, which is an updated version of the BURNTCIGAR malware that contains encrypted data to avoid detection by antivirus software. This single-file ransomware strain does not operate with any additional libraries, which makes it difficult to detect.
This cybercrime group remains dynamic and continues to refine its techniques despite its long presence in cybersecurity crimes. In particular, this group is manipulating compilation timestamps to mislead investigators. In its report, Kaspersky encourages organizations to follow best practices to protect against ransomware, stressing the importance of staying informed and proactive against evolving cyber threats.
About author
DW Team
The GIP Digital Watch Observatory team, consisting of over 30 digital policy experts from around the world, excels in the fields of research and analysis on digital policy issues. The team is backed by the creative prowess of Creative Lab Diplo and the technical expertise of the Diplo tech team.