{"id":47035,"date":"2022-06-08T00:00:00","date_gmt":"2022-06-08T00:00:00","guid":{"rendered":"urn:uuid:6dafdd27-b7bc-529c-455b-555f386ae7f7"},"modified":"2022-06-08T00:00:00","modified_gmt":"2022-06-08T00:00:00","slug":"cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\/","title":{"rendered":"Cuba Ransomware Group\u2019s New Variant Found Using Optimized Infection Techniques"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/cuba-ransomware-group's-new-variant-found-using-optimized-infection-techniques\/CubaMainResized.jpg\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <!-- Begin mPulse library --> <!-- END mPulse library --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"Trend Micro Research observed the resurgence of the Cuba ransomware group that launched a new malware variant using different infection techniques compared to past iterations. We discuss our initial findings in this report.\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"endpoints,ransomware,research,articles, news, reports\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2022-06-08\"> <meta property=\"article:tag\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/f\/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html\"> <title>Cuba Ransomware Group\u2019s New Variant Found Using Optimized Infection Techniques<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/f\/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html\"><br \/>\n<meta property=\"og:title\" content=\"Cuba Ransomware Group\u2019s New Variant Found Using Optimized Infection Techniques\"><br \/>\n<meta property=\"og:description\" content=\"Trend Micro Research observed the resurgence of the Cuba ransomware group that launched a new malware variant using different infection techniques compared to past iterations. We discuss our initial findings in this report.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/cuba-ransomware-group's-new-variant-found-using-optimized-infection-techniques\/CubaMainResized.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Cuba Ransomware Group\u2019s New Variant Found Using Optimized Infection Techniques\"><br \/>\n<meta name=\"twitter:description\" content=\"Trend Micro Research observed the resurgence of the Cuba ransomware group that launched a new malware variant using different infection techniques compared to past iterations. We discuss our initial findings in this report.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/cuba-ransomware-group's-new-variant-found-using-optimized-infection-techniques\/CubaMainResized.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.183515775918\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1155405782\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.3012987012987\">\n<div class=\"article-details\" role=\"heading\" readability=\"36.135064935065\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__description\">Trend Micro Research observed the resurgence of the Cuba ransomware group that launched a new malware variant using different infection techniques compared to past iterations. We discuss our initial findings in this report.<\/p>\n<p class=\"article-details__author-by\">By: Don Ovid Ladores <time class=\"article-details__date\">June 08, 2022<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"42.574647887324\">\n<div readability=\"31.930985915493\">\n<p>Cuba <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/definition\/ransomware\" target=\"_blank\" rel=\"noopener\">ransomware<\/a> is a malware family that has been seasonally detected since it was first observed in <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/malware\/Ransom.Win32.LEDIF.A\/\" target=\"_blank\" rel=\"noopener\">February 2020<\/a>. It resurfaced in <a href=\"https:\/\/www.securityweek.com\/fbi-warns-cuba-ransomware-attacks-critical-infrastructure\" target=\"_blank\" rel=\"noopener\">November 2021<\/a> based on the FBI\u2019s <a href=\"https:\/\/www.ic3.gov\/Media\/News\/2021\/211203-2.pdf\" target=\"_blank\" rel=\"noopener\">official notice<\/a>, and has <a href=\"https:\/\/www.zdnet.com\/article\/fbi-cuba-ransomware-hit-49-critical-infrastructure-organizations\/\" target=\"_blank\" rel=\"noopener\">reportedly<\/a> attacked 49 organizations in five critical infrastructure sectors, amassing at least US$ 43.9 million in ransom payments.&nbsp;&nbsp;<\/p>\n<p>We observed Cuba ransomware\u2019s resurgence in March and April this year. Our monitoring showed that the malware authors seem to be pushing some updates to the current binary of a new variant. The samples we examined in March and April used <a href=\"https:\/\/www.mandiant.com\/resources\/unc2596-cuba-ransomware\">BUGHATCH<\/a>, a custom downloader that the malicious actor did not employ in previous variants specifically for the staging phase of the infection routine.<\/p>\n<p>In late April we also noticed another variant of the ransomware, this time targeting two organizations based in Asia. This blog entry focuses on our analysis of the latest samples uncovered from this period.<\/p>\n<p>While the updates to Cuba ransomware did not change much in terms of overall functionality, we have reason to believe that the updates aim to optimize its execution, minimize unintended system behavior, and provide technical support to the ransomware victims if they choose to negotiate.<\/p>\n<p>Our analysis of the new variant revealed that the malicious actor added some processes and services to terminate the following:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">MySQL<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MySQL80<\/span><\/li>\n<li><span class=\"rte-red-bullet\">SQLSERVERAGENT<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSSQLSERVER<\/span><\/li>\n<li><span class=\"rte-red-bullet\">SQLWriter<\/span><\/li>\n<li><span class=\"rte-red-bullet\">SQLTELEMETRY<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSDTC<\/span><\/li>\n<li><span class=\"rte-red-bullet\">SQLBrowser<\/span><\/li>\n<li><span class=\"rte-red-bullet\">sqlagent.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">sqlservr.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">sqlwriter.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">sqlceip.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">msdtc.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">sqlbrowser.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">vmcompute<\/span><\/li>\n<li><span class=\"rte-red-bullet\">vmms<\/span><\/li>\n<li><span class=\"rte-red-bullet\">vmwp.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">vmsp.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">outlook.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeUMCR<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeUM<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeTransportLogSearch<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeTransport<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeThrottling<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeSubmission<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeServiceHost<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeRPC<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeRepl<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangePOP3BE<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangePop3<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeNotificationsBroker<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeMailboxReplication<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeMailboxAssistants<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeIS<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeIMAP4BE<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeImap4<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeHMRecovery<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeHM<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeFrontEndTransport<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeFastSearch<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeEdgeSync<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeDiagnostics<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeDelivery<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeDagMgmt<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeCompliance<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSExchangeAntispamUpdate<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Microsoft.Exchange.Store.Worker.exe<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/cuba-ransomware-group%27s-new-variant-found-using-optimized-infection-techniques\/cuba01.png\" alt=\"Figure 1. Screenshot of the list of processes and services that the Cuba ransomware seeks to terminate\"><figcaption>Figure 1. Screenshot of the list of processes and services that the Cuba ransomware seeks to terminate<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p><span class=\"rte-red-bullet\"><\/span>Another apparent change is the expansion of the safelisted directories and file extensions that it will avoid encrypting:<\/p>\n<p><b>Directory Safelist:<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">\\windows\\<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\\program files\\microsoft office\\<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\\program files (x86)\\microsoft office\\<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\\program files\\avs\\<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\\program files (x86)\\avs\\<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\\$recycle.bin\\<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\\boot\\<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\\recovery\\<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\\system volume information\\<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\\msocache\\<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\\users\\all users\\<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\\users\\default user\\<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\\users\\default\\<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\\temp\\<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\\inetcache\\<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\\google\\<\/span><\/li>\n<\/ul>\n<p><b>Extension Safelist:<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.dll<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.sys<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.ini<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.lnk<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.vbm<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.cuba<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/cuba-ransomware-group%27s-new-variant-found-using-optimized-infection-techniques\/cuba02.png\" alt=\"Figure 2. Array of directories it excludes from encryption\"><figcaption>Figure 2. Array of directories it excludes from encryption<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.874732334047\">\n<div readability=\"17.69164882227\">\n<p>We compared the new variant used in late April 2022 to the previous ones and found that the former did not have all the commands or functions that came with the latter. The malicious actors only retained two commands in the new one that are directory- or location-related phrases. These are as follows:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">local<\/span><\/li>\n<li><span class=\"rte-red-bullet\">network<\/span><\/li>\n<\/ul>\n<p>Notably, the wording of the ransom note used in the latest variant (see Figure 4) is different from the previous one that the malicious actors used in the samples we analyzed in March this year, but the onion site indicated in both ransom notes is the same. The ransom note used in late April 2022 explicitly states that they will publish exfiltrated data on their Tor site if the victims refuse to negotiate after three days, an apparent use of the <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/ransomware-double-extortion-and-beyond-revil-clop-and-conti\">double extortion<\/a> technique. The ransomware gang did not clearly state the threat of publication of stolen data in the ransom note dropped in March 2022 (see Figure 3).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/cuba-ransomware-group%27s-new-variant-found-using-optimized-infection-techniques\/cuba03blurred.png\" alt=\"Figure 3. Cuba ransomware\u2019s ransom note retrieved from samples that we analyzed in March 2022\"><figcaption>Figure 3. Cuba ransomware\u2019s ransom note retrieved from samples that we analyzed in March 2022<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Another new feature of the latest ransom note is the addition of quTox, a means for technical support to the ransomware victims to facilitate ransom payment negotiation.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/cuba-ransomware-group%27s-new-variant-found-using-optimized-infection-techniques\/cuba04blurred.png\" alt=\"Figure 4. Cuba ransomware\u2019s ransom note retrieved from samples analyzed in late April 2022, with mention of quTox as technical support to facilitate ransom payment negotiations\"><figcaption>Figure 4. Cuba ransomware\u2019s ransom note retrieved from samples analyzed in late April 2022, with mention of quTox as technical support to facilitate ransom payment negotiations<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39.078947368421\">\n<div readability=\"25.734916559692\">\n<p>We are still investigating the latest set of samples and have yet to establish the entire infection chain for the new Cuba ransomware variant. As mentioned, the indicators that were commonly seen in most of the recent infections were not present in the latest samples we saw. Moreover, our detections of new samples in May suggest that Cuba ransomware\u2019s attacks will persist in the coming months, possibly with more updates to the malware that are par for the course.<\/p>\n<p><b><span class=\"body-subhead-title\">Recommendations<\/span><\/b><\/p>\n<p>As new malware variants emerge, a proactive cybersecurity stance is important to ensure that organizations are protected against modern ransomware threats. To defend systems against similar attacks, organizations can establish security frameworks that systematically allocate resources based on an enterprise\u2019s needs.&nbsp;<\/p>\n<p>Consider following the security frameworks established by the <a href=\"https:\/\/www.cisecurity.org\/controls\/\" target=\"_blank\" rel=\"noopener\">Center of Internet Security<\/a> and the <a href=\"https:\/\/www.nist.gov\/cyberframework\" target=\"_blank\" rel=\"noopener\">National Institute of Standards and Technology<\/a> when developing your own cybersecurity strategies. The frameworks they created help security teams to mitigate risks and minimize exposure to threats. Implementing the best practices discussed in their respective frameworks can save organizations the time and effort when they customize their own. Their frameworks guide organizations through the whole process of planning while providing suggestions on measures that need to be established first.<\/p>\n<p><b><span class=\"body-subhead-title\">Indicators of Compromise (IOCs)<\/span><\/b><\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\">\n<tbody readability=\"2\">\n<tr>\n<td><b>SHA256<\/b><\/td>\n<td><b>Trend Micro Detection<\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>89288de628b402621007c7ebb289233e7568307fb12a33aac7e834504c17b4af&nbsp;<\/td>\n<td>Ransom.Win32.BACUCRYPT.YPCD2T<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/f\/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Trend Micro Research observed the resurgence of the Cuba ransomware group that launched a new malware variant using different infection techniques compared to past iterations. We discuss our initial findings in this report. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":47036,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9539,9509],"class_list":["post-47035","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-ransomware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Cuba Ransomware Group\u2019s New Variant Found Using Optimized Infection Techniques 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cuba Ransomware Group\u2019s New Variant Found Using Optimized Infection Techniques 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-06-08T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/cuba-ransomware-group's-new-variant-found-using-optimized-infection-techniques\/CubaMainResized.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Cuba Ransomware Group\u2019s New Variant Found Using Optimized Infection Techniques\",\"datePublished\":\"2022-06-08T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\\\/\"},\"wordCount\":897,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Ransomware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\\\/\",\"name\":\"Cuba Ransomware Group\u2019s New Variant Found Using Optimized Infection Techniques 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques.png\",\"datePublished\":\"2022-06-08T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques.png\",\"width\":582,\"height\":598},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cuba Ransomware Group\u2019s New Variant Found Using Optimized Infection Techniques\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cuba Ransomware Group\u2019s New Variant Found Using Optimized Infection Techniques 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\/","og_locale":"en_US","og_type":"article","og_title":"Cuba Ransomware Group\u2019s New Variant Found Using Optimized Infection Techniques 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-06-08T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/cuba-ransomware-group's-new-variant-found-using-optimized-infection-techniques\/CubaMainResized.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Cuba Ransomware Group\u2019s New Variant Found Using Optimized Infection Techniques","datePublished":"2022-06-08T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\/"},"wordCount":897,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/06\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Ransomware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\/","url":"https:\/\/www.threatshub.org\/blog\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\/","name":"Cuba Ransomware Group\u2019s New Variant Found Using Optimized Infection Techniques 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/06\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques.png","datePublished":"2022-06-08T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/06\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/06\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques.png","width":582,"height":598},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/cuba-ransomware-groups-new-variant-found-using-optimized-infection-techniques\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Cuba Ransomware Group\u2019s New Variant Found Using Optimized Infection Techniques"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/47035","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=47035"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/47035\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/47036"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=47035"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=47035"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=47035"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}