An Ottawa-area IT services company says it has completely restored service to its customers after being hit by the Cuba ransomware strain last week. However, they lost a day’s worth of email and data.
Marc Villeneuve, owner of 2NetworkIT, credits having a resilient backup strategy for being able to bypass the crisis of 11 encrypted servers and restore most data for the company’s 30 customers after 48 hours.
Customers lost one day of email and data, he said in an interview.
Based in Orleans, Ont., just outside Ottawa, 2NetworkIT offers a suite of hosted office productivity applications that companies can remotely access.
He speculates that a customer clicked on a malicious attachment, triggering a chain that resulted in the installation of the ransomware despite having fully patched servers.
While the Cuba ransomware gang’s website claims the group copied financial documents, correspondence with bank employees, tax documents and source code, Villeneuve is “99 per cent sure” nothing was stolen. In part that’s because the website doesn’t have a preview of stolen data or a screenshot of a file directory, as the gang has done for other victims.
“They gave me three days to contact them,” he added, “otherwise they would list everything they had” on their website. “My [company] name appeared as of Sunday morning on their website. “I’ve been checking every day and none of my files are showing in their folder structures.”
Villeneuve, who lives in Mexico, said there are two lessons for infosec pros:
First, “Brace yourself. I hate to say it, but whatever you do, you’re never going to be fully protected from these types of hackers. They are high-end hackers.”
Second: “Your backups are what’s going to save you — and make sure you have backups of your backups, and they are on different [network] segments that are not connected.”
The U.S. Cybersecurity and Infrastructure Security Agency and the FBI this month issued a background report on the tactics and indicators of compromise from the gang that calls itself Cuba. As of August, the FBI believed the gang had compromised 101 entities, including 65 in the U.S., and received an estimated US$60 million in payments.
Typically this gang compromises targets by exploiting known vulnerabilities, phishing, using stolen credentials and exploiting remote desktop tools, the report says.
This week, Sophos said it believes an attacker used a legitimately signed Windows driver in an attempted cyber attack to deploy the Cuba ransomware strain in an organization . Microsoft said after being told by Sophos, Mandiant and SentinelOne in October about suspicious activity, it suspended the accounts of certain people authorized through the Windows Hardware Developer Program to issue digital certificates.
However, Villeneuve doesn’t believe that was the attack vector.
The attackers hit around 2 a.m. on Thursday, Dec. 8. Villeneuve realized something was wrong around 5 a.m. when he woke and decided to check his email, only to find the server not responding. He thought all it needed was a reboot, but soon realized 46 services were off. Then, after accessing the domain controllers, he could see unauthorized scripts were automatically running, mapping and encrypting all drives, including one network-attached storage backup system. Still, he was able to remotely shut all of the company’s servers.
What wasn’t touched was a server offering virtual machines and other off-line data backups.
Villeneuve believes his company is one of many in NATO countries being targeted by Russian-based threat groups as retaliation for supporting Ukraine in its war. An Israeli cybersecurity firm said when it negotiated with Cuba group for a customer in 2020, it learned they spoke Russian.