New research reveals Cuba ransomware group’s undetectable malware

This group has been upgrading its malware to avoid detection and keep targeting organisations around the world and across a range of industries.

 Game, Toy

Security researchers at Kaspersky published new research exposing the notorious Cuba ransomware group.

The ransomware group has used the Komar65 library, also known as BUGHATCH, as a sophisticated backdoor that operates in process memory and connects to a command-and-control (C2) server. The malware’s capabilities have been enhanced with additional modules, one of which is responsible for collecting system information and sending it to a server via HTTP POST requests.

In addition, researchers have discovered a new malware sample on VirusTotal attributed to Cuba, which is an updated version of the BURNTCIGAR malware that contains encrypted data to avoid detection by antivirus software. This single-file ransomware strain does not operate with any additional libraries, which makes it difficult to detect.

This cybercrime group remains dynamic and continues to refine its techniques despite its long presence in cybersecurity crimes. In particular, this group is manipulating compilation timestamps to mislead investigators. In its report, Kaspersky encourages organizations to follow best practices to protect against ransomware, stressing the importance of staying informed and proactive against evolving cyber threats.