Ransomware.live: cuba

The Cuba Ransomware, also known as Colddraw Ransomware, was first identified in the threat landscape in 2019 and built a relatively small but selected list of victims. The group is also known as Fidel Ransomware, due to a characteristic marker placed at the beginning of all encrypted files. This file marker is used as an indicator for the ransomware and its decoder that the file has been encrypted.

Despite its name and the Cuban nationalist style on its leak site, it is difficult to assert any connection or affiliation with the Republic of Cuba. The group has been linked to a Russian-language threat actor by Profero researchers due to some details of incorrect translation they discovered, as well as the discovery of a 404 page containing text in Russian on the threat actor's own leak site.

According to BlackBerry, based on the analysis of the code strings used in the campaign analyzed in 2023, there were indications that the developer behind the Cuba ransomware speaks Russian.

The ransomware operators use a double extortion approach, and following the USA, in August 2022, it was believed that the Cuba ransomware group had compromised 101 entities, demanding $145 million in ransom payments and receiving up to $60 million.

The group used a similar set of TTPs, with only a slight change each year, as they generally consist of LOLBins (executables that are part of the operating system and can be exploited to support an attack), exploits, off-the-shelf and custom malware, as well as intrusion tools like Cobalt Strike and Metasploit.

In 2022, the group allegedly developed a relationship with operators of the Industrial Spy market, using their platform as a means of data leakage.
Source: https://github.com/crocodyli/ThreatActors-TTPs

Victims

103

First Discovered

2021-02-03

victim

Last Discovered

2024-02-01

victim

Inactive Since

2yrs

more than

Avg Delay

days

Infostealer

41.7%

victims with domain

Countries

hit

View Victims on World Map View Group Statistics

Known Locations (2)

Favicon	Title	Type	Available	Last Visit	Server Info	FQDN
			No	2026-04-28T07:21:48		`cuba4mp6ximo2zlo.onion`
	Cuba		No	2026-04-28T07:22:15		`cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion`

Target

Heatmap

Ransom Notes (1)

Tools Used

This information is provided by Ransomware-Tool-Matrix
Discovery	RMM Tools	Defense Evasion	Credential Theft	OffSec	Networking	LOLBAS	Exfiltration
placeholder placeholder	NetSupport placeholder	Avast Anti-Rootkit driver placeholder	Mimikatz placeholder	Cobalt Strike Meterpreter	Termite placeholder	PsExec placeholder	placeholder placeholder

TTPs Matrix (7)

This information is provided by Crocodyli & Ransomware.live
Initial Access	Execution	Defense Evasion	Credential Access	Discovery	Lateral Movement	Command and Control
Valid Accounts: Local Accounts	Command and Scripting Interpreter: PowerShell	Masquerading: Match Legitimate Name or Location	Remote Services: External Remote Services	Network Configuration Discovery: Network Connection Enumeration	External Remote Services	Application Layer Protocol: Web Protocols
External Remote Services	Command and Scripting Interpreter: Windows Command Shell	Exploitation for Privilege Escalation	Exploitation for Credential Access	Remote System Discovery	Tool Transfer	Application Layer Protocol: DNS
	Native API			Process Discovery		Multi-hop Proxy
	User Execution: Malicious File			File and Directory Discovery		Remote Desktop Protocol
	System Services: Service Execution			Time Discovery
				Network Share Discovery

YARA Rules (1)

Indicators of Compromise (IoCs) (3)

Email 3

Type	IOC
`Email`	`admin@cuba-supp.com`
`Email`	`cuba_support@exploit.im`
`Email`	`roselondon@cock.li`

Cuba / Colddraw