Image: The Record

CISA: Cuba ransomware group has stolen $60 million from at least 100 organizations

The Cuba ransomware group has launched attacks against 100 organizations around the world and brought in $60 million between December 2021 and August 2022, according to a new advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and FBI.

The two agencies also said there is no indication that the group is based in or has any connection to the Republic of Cuba.

The advisory follows a December 2021 release from the FBI that found the group earned at least $43.9 million from ransom payments after attacks on at least 49 entities in five critical infrastructure sectors.

CISA said that since the FBI flash report, the number of U.S. entities attacked by the Cuba ransomware group has doubled and the amount of ransoms demanded and paid has increased.

The group has continued to target the same five critical infrastructure sectors: financial services, government facilities, healthcare and public health, critical manufacturing, and information technology.

Cuba ransomware actors have demanded at least $145 million in payments over the last 9 months, according to CISA data. 

The notice also links the ransomware actors to people behind other malicious tools like the RomCom Remote Access Trojan and the Industrial Spy ransomware. 

Much of the advisory included information spotlighted by the FBI in December 2021, including the fact that the group distributes the Cuba ransomware through Hancitor — a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims’ networks.

CISA cited a report from Palo Alto Networks that found Cuba ransomware actors typically exploit vulnerabilities like CVE-2022-24521 – a vulnerability affecting Windows Common Log File System Driver that CISA said in April was being exploited – and CVE-2020-1472, one of the most routinely exploited vulnerabilities in 2020

The Palo Alto Networks report added that the group used a variety of tools to evade detection, including a tool that “terminates security products.”

The group typically extorts victims by threatening to leak stolen data and since May 2022, has moved from marketing the stolen information on their own leak site to selling it on the Industrial Spy online market – a platform rife with stolen data. 

The group was previously implicated in a wide-ranging ransomware attack on the government of Montenegro that crippled the country for weeks in September.


The report comes on the same day that the group claimed to have attacked German media firm Landau Media. The company confirmed it had been attacked in a notice on its website, warning visitors not to engage with anything on the site. 

"We have been the victim of a targeted cyberattack. We do not know whether our customers' systems are also at risk from the cyberattack. We therefore ask you to be careful when using our online services and environments," the company said on Thursday.

"Unfortunately, our production systems are also partially affected. We are working on a solution as soon as possible!"

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.