Cuba

Inactive

The Cuba Ransomware, also known as Colddraw Ransomware, was first identified in the threat landscape in 2019 and built a relatively small but selected list of victims. The group is also known as Fidel Ransomware, due to a characteristic marker placed at the beginning of all encrypted files. This file marker is used as an indicator for the ransomware and its decoder that the file has been encrypted.

Despite its name and the Cuban nationalist style on its leak site, it is difficult to assert any connection or affiliation with the Republic of Cuba. The group has been linked to a Russian-language threat actor by Profero researchers due to some details of incorrect translation they discovered, as well as the discovery of a 404 page containing text in Russian on the threat actor's own leak site.

According to BlackBerry, based on the analysis of the code strings used in the campaign analyzed in 2023, there were indications that the developer behind the Cuba ransomware speaks Russian.

The ransomware operators use a double extortion approach, and following the USA, in August 2022, it was believed that the Cuba ransomware group had compromised 101 entities, demanding $145 million in ransom payments and receiving up to $60 million.

The group used a similar set of TTPs, with only a slight change each year, as they generally consist of LOLBins (executables that are part of the operating system and can be exploited to support an attack), exploits, off-the-shelf and custom malware, as well as intrusion tools like Cobalt Strike and Metasploit.

In 2022, the group allegedly developed a relationship with operators of the Industrial Spy market, using their platform as a means of data leakage.
Source: https://github.com/crocodyli/ThreatActors-TTPs

105 Victims

Feb 3, 2021 First Discovered

Feb 1, 2024 Last Discovered

777 Days Inactive

0% Infostealer

0/2 Sites Online

Top Countries

GB 3

US 2

FR 1

BE 1

TW 1

Top Sectors

Healthcare 1

Manufacturing 1

Financial 1

Known Locations (2)

cuba4mp6ximo2zlo.onion

Cuba

cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion

Tools Used

Exfiltration

RMM-Tools

NetSupport

DiscoveryEnum

Networking

Termite

CredentialTheft

Mimikatz

Offsec

Cobalt Strike, Meterpreter

DefenseEvasion

Avast Anti-Rootkit driver

LOLBAS

PsExec

Intelligence

📄 1 Ransom Notes
View the actual ransom notes used by this group →

Victims (105)

dms-imaging

FR Healthcare Discovered: Feb 1, 2024 · Attack est.: Mar 19, 2026

DMS is a French industrial company specialized in digital radiology, with an international reach, and recognized as a key actor and an indispensable partner in creating value through the quality...

deknudtframes.be

BE Manufacturing Discovered: Jan 22, 2024 · Attack est.: Jan 18, 2024

Our teamOur team in Deerlijk consists of enthusiastic and motivated people with passion for their profession. The management, sales, logistics, purchasing, accounting, customer service and marketing are ready for you...

diagnostechs

Discovered: Nov 14, 2023 · Attack est.: Nov 14, 2023

HistoryEstablished in 1987, DiagnosTechs was the first laboratory to introduce saliva hormone testing into routine clinical practice. In 1995, DiagnosTechs added saliva and stool-based gastrointestinal and food sensitivity testing,...

portadelaidefc

Discovered: Nov 13, 2023 · Attack est.: Nov 13, 2023

PORT ADELAIDE is renowned for setting the bar high and expecting success, and the club’s latest strategic vision embraces that expectation.Unveiled at the club’s Annual General Meeting on Friday night,...

panaya

Discovered: Nov 7, 2023 · Attack est.: Nov 7, 2023

About PANAYAPanaya’s Change Intelligence solutions reduce the time, cost, and risk involved in change to business applications like SAP®, Oracle® EBS, and Salesforce.com. Date the files were received: 02...

prime-art

Discovered: Nov 7, 2023 · Attack est.: Nov 7, 2023

For PAJ, your success is our success.Jewelry making is an art and a science. We are constantly improving and optimizing our skills while integrating cutting-edge technology.By always delivering a troy...

Newconcepttech

Discovered: Oct 23, 2023 · Attack est.: Oct 23, 2023

FROM A SINGLE START-UP TO A MULTI-MILLION DOLLAR COMPANYOur prosperity is due to three interlocking factors: the first, being our customers, who have always come first.The second, our employees, who...

mountstmarys

Discovered: Oct 10, 2023 · Attack est.: Oct 10, 2023

Mount St Mary’s is rightly proud of its extensive heritage dating back over 160 years. The original vision to educate all young people in the local area remains at the...

co.rock.wi.us

US Discovered: Oct 3, 2023 · Attack est.: Mar 19, 2026

Rock County Public Health DepartmentThe Rock County Public Health Department (RCPHD) is a level III health department in Rock County, Wisconsin. Our staff serves over 160,000 people in more than...

goldmedalbakery

Discovered: Aug 19, 2023 · Attack est.: Aug 19, 2023

Gold Medal Bakery aspires to follow three core values in every aspect of its business.Integrity: Gold Medal has built its reputation on meeting the needs of our customers and the...

hydrex.co.uk

GB Discovered: Jul 31, 2023 · Attack est.: Jul 31, 2023

Established in 1985, with 13 depots and one support centre nationwide, Hydrex is one of the largest suppliers of outsourced mobile plant solutions in the UK.Hydrex has a fleet totaling...

txmplant.co.uk

GB Discovered: Jul 31, 2023 · Attack est.: Jul 31, 2023

At TXM Plant we know that the services we provide are critical to the success of our customers’ projects. That’s why we put the customer at the centre of everything...

gis4.addison-il

Discovered: Jul 11, 2023 · Attack est.: Jul 11, 2023

More than 36,000 people call the Village of Addison home. Whether you are new to our community, or have lived here for years, we want you to get acquainted with...

Inquirer

Discovered: May 23, 2023 · Attack est.: Mar 19, 2026

About The Philadelphia Inquirer, PBCSince 1829, The Philadelphia Inquirer has been “asking on behalf of the people” of Philadelphia and the region by providing essential journalism. Locally owned and headquartered...

Vdi

Discovered: May 10, 2023 · Attack est.: May 10, 2023

Užtikrindami oruma darbe mes užtikriname ir pamatines žmogaus teisesValstybines darbo inspekcijos (VDI) misija – orus darbas. Spalio 7-aja minint Diena už oru darba VDI primena, kad tarpusavio pagarba ir saugumas...

Gihealthcare

Discovered: May 4, 2023 · Attack est.: May 4, 2023

Your health is our top priority. We specialize in digestive system care and will guide you through every step – whether it’s a routine colon screening, major liver or pancreas...

pu.edu.lb

Discovered: Dec 27, 2022 · Attack est.: Dec 27, 2022

Phoenicia University (PU) is a non-profit, private, and nonsectarian officially licensed institution of higher education. The University comprises six colleges: Architecture and Design, Arts and Sciences, Business, Engineering, Law...

Sae-a

Discovered: Dec 20, 2022 · Attack est.: Dec 20, 2022

From yarn-production through its fabric mills that draw on in new innovation and technology, to retail operations in Korea, SAE-A has become one of the few apparel manufacturers capable of...

2networkit

Discovered: Dec 12, 2022 · Attack est.: Dec 12, 2022

Landaumedia

Discovered: Dec 1, 2022 · Attack est.: Dec 1, 2022

Generator-power

Discovered: Dec 1, 2022 · Attack est.: Dec 1, 2022

Boss-inc

Discovered: Dec 1, 2022 · Attack est.: Dec 1, 2022

Patton

Discovered: Nov 30, 2022 · Attack est.: Nov 30, 2022

Pmc-group

Discovered: Nov 24, 2022 · Attack est.: Nov 24, 2022

waltersandwolf

Discovered: Nov 9, 2022 · Attack est.: Nov 9, 2022

bfw