Cuba / Colddraw

The Cuba Ransomware, also known as Colddraw Ransomware, was first identified in the threat landscape in 2019 and built a relatively small but selected list of victims. The group is also known as Fidel Ransomware, due to a characteristic marker placed at the beginning of all encrypted files. This file marker is used as an indicator for the ransomware and its decoder that the file has been encrypted.

Despite its name and the Cuban nationalist style on its leak site, it is difficult to assert any connection or affiliation with the Republic of Cuba. The group has been linked to a Russian-language threat actor by Profero researchers due to some details of incorrect translation they discovered, as well as the discovery of a 404 page containing text in Russian on the threat actor's own leak site.

According to BlackBerry, based on the analysis of the code strings used in the campaign analyzed in 2023, there were indications that the developer behind the Cuba ransomware speaks Russian.

The ransomware operators use a double extortion approach, and following the USA, in August 2022, it was believed that the Cuba ransomware group had compromised 101 entities, demanding $145 million in ransom payments and receiving up to $60 million.

The group used a similar set of TTPs, with only a slight change each year, as they generally consist of LOLBins (executables that are part of the operating system and can be exploited to support an attack), exploits, off-the-shelf and custom malware, as well as intrusion tools like Cobalt Strike and Metasploit.

In 2022, the group allegedly developed a relationship with operators of the Industrial Spy market, using their platform as a means of data leakage.
Source: https://github.com/crocodyli/ThreatActors-TTPs

Victims

105

First Discovered

2021-02-03

victim

Last Discovered

2024-02-01

victim

Inactive Since

2yrs

more than

Avg Delay

days

Infostealer

0.0%

victims with domain

View Victims on World Map

View group statistics

Known Locations (2)

Favicon	Title	Type	Available	Last Visit	Server Info	FQDN
	None		No	2025-06-01 21:18:24		`cuba4mp6ximo2zlo.onion`
	Cuba		No	2025-06-01 21:18:32		`cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion`

Target (Available)

Heatmap (Available)

Ransom Notes (1)

Tools Used (Available)

This information is provided by Ransomware-Tool-Matrix
Discovery	RMM Tools	Defense Evasion	Credential Theft	OffSec	Networking	LOLBAS	Exfiltration
placeholder placeholder	NetSupport placeholder	Avast Anti-Rootkit driver placeholder	Mimikatz placeholder	Cobalt Strike Meterpreter	Termite placeholder	PsExec placeholder	placeholder placeholder

Vulnerabilities Exploited (0)

TTPs Matrix (7)

This information is provided by Crocodyli & Ransomware.live
Initial Access	Execution	Defense Evasion	Discovery	Lateral Movement	Credential Access	Command and Control
External Remote Services	Native API	Masquerading: Match Legitimate Name or Location	Time Discovery	Tool Transfer	Exploitation for Credential Access	Remote Desktop Protocol
Valid Accounts: Local Accounts	User Execution: Malicious File	Exploitation for Privilege Escalation	Network Share Discovery	External Remote Services	Remote Services: External Remote Services	Multi-hop Proxy
	Command and Scripting Interpreter: PowerShell		Remote System Discovery			Application Layer Protocol: DNS
	Command and Scripting Interpreter: Windows Command Shell		File and Directory Discovery			Application Layer Protocol: Web Protocols
	System Services: Service Execution		Process Discovery
			Network Configuration Discovery: Network Connection Enumeration

Negotiation Chats (0)

YARA Rules (0)