Cuba
The Cuba Ransomware, also known as Colddraw Ransomware, was first identified in the threat landscape in 2019 and built a relatively small but selected list of victims. The group is also known as Fidel Ransomware, due to a characteristic marker placed at the beginning of all encrypted files. This file marker is used as an indicator for the ransomware and its decoder that the file has been encrypted.
Despite its name and the Cuban nationalist style on its leak site, it is difficult to assert any connection or affiliation with the Republic of Cuba. The group has been linked to a Russian-language threat actor by Profero researchers due to some details of incorrect translation they discovered, as well as the discovery of a 404 page containing text in Russian on the threat actor's own leak site.
According to BlackBerry, based on the analysis of the code strings used in the campaign analyzed in 2023, there were indications that the developer behind the Cuba ransomware speaks Russian.
The ransomware operators use a double extortion approach, and following the USA, in August 2022, it was believed that the Cuba ransomware group had compromised 101 entities, demanding $145 million in ransom payments and receiving up to $60 million.
The group used a similar set of TTPs, with only a slight change each year, as they generally consist of LOLBins (executables that are part of the operating system and can be exploited to support an attack), exploits, off-the-shelf and custom malware, as well as intrusion tools like Cobalt Strike and Metasploit.
In 2022, the group allegedly developed a relationship with operators of the Industrial Spy market, using their platform as a means of data leakage.
Source: https://github.com/crocodyli/ThreatActors-TTPs
Despite its name and the Cuban nationalist style on its leak site, it is difficult to assert any connection or affiliation with the Republic of Cuba. The group has been linked to a Russian-language threat actor by Profero researchers due to some details of incorrect translation they discovered, as well as the discovery of a 404 page containing text in Russian on the threat actor's own leak site.
According to BlackBerry, based on the analysis of the code strings used in the campaign analyzed in 2023, there were indications that the developer behind the Cuba ransomware speaks Russian.
The ransomware operators use a double extortion approach, and following the USA, in August 2022, it was believed that the Cuba ransomware group had compromised 101 entities, demanding $145 million in ransom payments and receiving up to $60 million.
The group used a similar set of TTPs, with only a slight change each year, as they generally consist of LOLBins (executables that are part of the operating system and can be exploited to support an attack), exploits, off-the-shelf and custom malware, as well as intrusion tools like Cobalt Strike and Metasploit.
In 2022, the group allegedly developed a relationship with operators of the Industrial Spy market, using their platform as a means of data leakage.
Source: https://github.com/crocodyli/ThreatActors-TTPs
External information
Victims
105
First Discovered
victim2021-02-03
Last Discovered
victim2024-02-01
Avg Delay
between attack and claim4 days
Infostealer
for victim with domain0.0%
Known Locations (2)
| Favicon | Title | Type | Available | Last Visit | FQDN | |
|---|---|---|---|---|---|---|
|
None | No | 2025-06-01 21:18:24 | cuba4mp6ximo2zlo.onion |
||
|
Cuba | No | 2025-06-01 21:18:32 | cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion |
Target (Available)
Top 5 Activity Sectors
- Financial 1
- Manufacturing 1
- Healthcare 1
Top 5 Countries
-
United Kingdom
3
-
United States
2
-
Belgium
1
-
France
1
Heatmap (Available)
Ransom Notes (1)
Tools Used (Available)
| Discovery | RMM Tools | Defense Evasion | Credential Theft | OffSec | Networking | LOLBAS | Exfiltration |
|---|---|---|---|---|---|---|---|
|
|
NetSupport
|
Avast Anti-Rootkit driver
|
Mimikatz
|
Cobalt Strike
Meterpreter
|
Termite
|
PsExec
|
|
Vulnerabilities Exploited (0)
No vulnerabilities exploited available.
TTPs Matrix (7)
| Initial Access | Execution | Defense Evasion | Discovery | Lateral Movement | Credential Access | Command and Control |
|---|---|---|---|---|---|---|
| External Remote Services | Native API | Masquerading: Match Legitimate Name or Location | Time Discovery | Tool Transfer | Exploitation for Credential Access | Remote Desktop Protocol |
| Valid Accounts: Local Accounts | User Execution: Malicious File | Exploitation for Privilege Escalation | Network Share Discovery | External Remote Services | Remote Services: External Remote Services | Multi-hop Proxy |
| Command and Scripting Interpreter: PowerShell | Remote System Discovery | Application Layer Protocol: DNS | ||||
| Command and Scripting Interpreter: Windows Command Shell | File and Directory Discovery | Application Layer Protocol: Web Protocols | ||||
| System Services: Service Execution | Process Discovery | |||||
| Network Configuration Discovery: Network Connection Enumeration |
Negotiation Chats (0)
No negotiation chats available.
YARA Rules (0)
No YARA rules available.
Indicators of Compromise (IoCs) (0)
No IoCs available for this group.
Victims (105)
dms-imaging
Cuba
Discovery Date: 2024-02-01
DMS is a French industrial company specialized in digital radiology, with an international reach, an...
deknudtframes.be
Cuba
Discovery Date: 2024-01-22
Estimated Attack Date: 2024-01-18
Estimated Attack Date: 2024-01-18
Our teamOur team in Deerlijk consists of enthusiastic and motivated people with passion for their pr...
diagnostechs
Cuba
Discovery Date: 2023-11-14
HistoryEstablished in 1987, DiagnosTechs was the first laboratory to introduce saliva hormone testin...
portadelaidefc
Cuba
Discovery Date: 2023-11-13
PORT ADELAIDE is renowned for setting the bar high and expecting success, and the club’s latest stra...
Newconcepttech
Cuba
Discovery Date: 2023-10-23
FROM A SINGLE START-UP TO A MULTI-MILLION DOLLAR COMPANYOur prosperity is due to three interlocking ...
mountstmarys
Cuba
Discovery Date: 2023-10-10
Mount St Mary’s is rightly proud of its extensive heritage dating back over 160 years. The original ...
co.rock.wi.us
Cuba
Discovery Date: 2023-10-03
Rock County Public Health DepartmentThe Rock County Public Health Department (RCPHD) is a level III ...
goldmedalbakery
Cuba
Discovery Date: 2023-08-19
Gold Medal Bakery aspires to follow three core values in every aspect of its business.Integrity: Gol...
hydrex.co.uk
Cuba
Discovery Date: 2023-07-31
Established in 1985, with 13 depots and one support centre nationwide, Hydrex is one of the largest ...
txmplant.co.uk
Cuba
Discovery Date: 2023-07-31
At TXM Plant we know that the services we provide are critical to the success of our customers’ proj...
gis4.addison-il
Cuba
Discovery Date: 2023-07-11
More than 36,000 people call the Village of Addison home. Whether you are new to our community, or ...
Gihealthcare
Cuba
Discovery Date: 2023-05-04
Your health is our top priority. We specialize in digestive system care and will guide you through e...
The Squamish Nation is comprised of descendants of the Coast Salish Aboriginal peoples who
Cuba
Discovery Date: 2021-09-09
N/A
First Coast Logistics Services, Inc. was founded in 1999. The Company's line of business i
Cuba
Discovery Date: 2021-09-09
N/A
Datamatics is a technology company that builds intelligent solutions enabling data-driven
Cuba
Discovery Date: 2021-09-09
N/A
AFTS supplies the preeminent Payment Processing, IRS 1031 Exchange, Data Processing, Invoi
Cuba
Discovery Date: 2021-09-09
N/A
OTR Capital believes in simple and straightforward transactions, without hidden costs and
Cuba
Discovery Date: 2021-09-09
N/A
Automatic Funds Transfer Services Inc. (vendor to city of Bainbridge Island)
Cuba
Discovery Date: 2021-02-03
N/A