TTPs for  Cuba



Sponsored by Hudson RockUse Hudson Rock's free cybercrime intelligence tools to learn how Infostealer infections are impacting your business

Initial Access (TA0001) Execution (TA0002) Defense Evasion (TA0005) Credential Access (TA0006) Discovery (TA0007) Lateral Movement (TA0008) Command and Control (TA0011)
External Remote Services (T1133)
Cuba ransomware operators used external remote services for initial access.
Native API (T1106)
Cuba ransomware used native API calls to execute malicious behaviors.
Masquerading: Match Legitimate Name or Location (T1036.005)
The ransomware used legitimate names or locations to evade detection.
Exploitation for Credential Access (T1212)
Cuba ransomware operators exploited vulnerabilities to gain credential access.
Time Discovery (T1124)
Cuba ransomware operators performed time discovery on infected systems.
Tool Transfer (T1570)
Cuba ransomware operators used tool transfer for lateral movement.
Remote Desktop Protocol (T1219)
The operators used Remote Desktop Protocol (RDP) for command and control.
Valid Accounts: Local Accounts (T1078.003)
Operators leveraged valid local accounts for initial access.
User Execution: Malicious File (T1204.002)
Malicious files were used to trick users into executing ransomware.
Exploitation for Privilege Escalation (T1068)
Cuba ransomware exploited vulnerabilities to escalate privileges.
Remote Services: External Remote Services (T1021.002)
Remote services were used to gain access to systems during the attack.
Network Share Discovery (T1135)
Network shares were enumerated by the ransomware.
External Remote Services (T1333)
Operators utilized external remote services to move laterally within the network.
Multi-hop Proxy (T1090.003)
Cuba ransomware operators used multi-hop proxies to obfuscate communication.
Command and Scripting Interpreter: PowerShell (T1059.001)
Cuba ransomware operators executed PowerShell commands during the attack.
Remote System Discovery (T1018)
Remote systems were discovered using built-in utilities.
Application Layer Protocol: DNS (T1071.004)
DNS was used as a protocol for command and control communication.
Command and Scripting Interpreter: Windows Command Shell (T1059.003)
The Windows Command Shell was used to execute various commands during the attack.
File and Directory Discovery (T1083)
Files and directories were enumerated during the attack.
Application Layer Protocol: Web Protocols (T1071.001)
Web protocols such as HTTP and HTTPS were used for communication.
System Services: Service Execution (T1569.002)
Cuba ransomware was executed using Windows system services.
Process Discovery (T1057)
Running processes were identified during the attack.
Network Configuration Discovery: Network Connection Enumeration (T1016.001)
Network connections were enumerated for discovery purposes.

This information is provided by Crocodyli or Ransomware.live