[ACCESS GRANTED] /// TATT-DB: ACTOR PROFILE LOADED ///

> Cuba Ransomware

[pwnbase.io V.2.1.0_FUI]

/// CORE METADATA
PRIMARY ROLE: Ransomware as a Service (RaaS) Operator
STATUS: ACTIVE / HIGH THREAT
MOTIVATION: Financial
TARGETS: US Critical Infrastructure, Financial, Government
USERNAMES: Cuba
/// DATASET: MOST POPULAR BREACHES & SALES LOG (2 records)
[Financial Sector Companies] Ongoing | Data: Financial records and customer PII.. Context: Used exploited F5 BIG-IP vulnerabilities for access..
[Various US Critical Infrastructure] 2021-2023 | Data: Encrypted and exfiltrated sensitive data.. Context: FBI alert issued in late 2021 regarding their activity..
/// TTP MAPPING: MITRE ATT&CK FRAMEWORK
Tactic MITRE ID Technique Description Defense Focus
[Defense Evasion] T1070.004 Indicator Removal: Uses **Clean_up.bat** to delete various logs, including Windows event logs and PowerShell history. Off-host log collection, File Monitoring on batch scripts
[Command and Control] T1071.001 Application Layer Protocol: Uses a proprietary C2 tool called **HavanaCrypt** that uses application layer protocols for communication. HavanaCrypt IOCs, Network Traffic Analysis
[Initial Access] T1190 Exploit Public-Facing App: Exploits vulnerabilities in Exchange servers and F5 BIG-IP appliances (CVE-2021-22920). Vulnerability Scanning, Patch Management (Exchange/F5)
/// WEAPONIZATION: KEY TOOLS & ARTIFACTS
Cuba Ransomware Encryptor [Ransomware] HavanaCrypt [C2/Proprietary Loader] Clean_up.bat [Defense Evasion Script]

[END OF FILE]