‘Ransom’ Mega-hackers Are Russian, Say Israeli Cybersecurity Firms

‘Cuba Ransomware’ group found via bitcoin payments, showing crypto-currency transfers aren’t as anonymous as thought

Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
An alert from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency is photographed on Tuesday, April 20, 2021.
An alert from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency is photographed on Tuesday, April 20, 2021. Credit: Jon Elswick,AP
Omer Benjakob
Omer Benjakob

A long-term sophisticated group of cybercriminals popularly known as ‘Cuba Ransomware’ is likely Russian, say Israeli researchers.

An investigation by Israeli cybersecurity firms Profero and Security Joes into attacks by Cuba, which mounts “ransom” attacks against commercial clients, found a number of telltale signs about the hackers’ origin.

In a report published on Wednesday, the firms show that a typo made by the hackers in correspondence with their victims is likely the result of misspelling the Russian word for server.

A custom-made error message in Russian found on a website set up by the Cuba hackers to post data it stole from its victims Credit: Profero, Security Joes

They also found that a website the hackers used to post data belonging to victims that refused to pay the ransom included a custom-made error message that was written in Russian. The report was not independently confirmed by Haaretz.

Ransomware attacks are when hackers take over a victim’s computer and/or data and demand pay to release it. Despite the relatively sophisticated nature of Cuba’s cybercrime operation, the researchers do not believe they are state hackers. “This group is highly secretive even in terms of the dark, shadowy world of hackers. This group is especially zealous about keeping itself off the radar,” explains Omri Segev Moyal of Profero.

“Most Russian cybercriminals pay some local form of graft to be able to operate unharassed by the state, but this group seems to want to operate as a somewhat unknown even in its own world of Russian-speaking hackers,” he adds.

Ransomware hackers generally ask to be paid in bitcoin, which is unregulated and they believe will assure them of anonymity. However, law enforcement is fighting back.

In the U.S., federal investigators said recently that a proposal to register bitcoin accounts would be especially helpful for identifying drug smugglers, human traffickers and terrorists — and ransomware groups. Just last week the U.S. Department of Justice established a government group to tackle ransomware. The proposed new rules, some of which would need Congressional action, mostly are mostly aimed at piercing the anonymity of cryptocurrency transactions.

However, many of the exchanges, which conduct the critical operation of turning cryptocurrency into dollars or other widely accepted currencies, are in countries outside the reach of U.S. regulators.

Cuba too asks for ransom to be paid in bitcoin, but its unique angle was attempting to launder the money through a convoluted array of cryptocurrency exchanges, to hide the payout.

An analysis of how the Cuba hackers attempted to launder the money through a convoluted array of cryptocurrency exchangesCredit: Screen capture

“These are techniques that are more similar to money laundering,” explains Segev Moyal. The Israeli cybersecurity experts’ report shows how a string of purportedly anonymous digital coin exchanges were used to transfer the payout from the initial bitcoin demanded by the hackers, to other cryptocurrencies like Etherium, and then back to bitcoin, meanwhile breaking down the money into smaller amounts which was shuffled through a number of different digital wallets.

According to Reuters, ransomware gangs collected almost $350 million last year, up threefold from 2019. Companies, government agencies, hospitals and school systems are among the victims of ransomware groups, some of which U.S. officials say maintain friendly relations with nation-states including North Korea and Russia. The Ransomware Task Force, a U.S.-led group of public-private experts, are zeroing in on cryptocurrency regulation as the key to combating what Reuters called the scourge of ransomware attacks.

In a report that will be published on Thursday and was seen by Reuters, the taskforce is expected to call for far more aggressive tracking of bitcoin and other cryptocurrencies. While those have won greater acceptance among investors over the past year, they remain the lifeblood of ransomware operators and other criminals who face little risk of prosecution in much of the world.

Reuters contributed to this report

Click the alert icon to follow topics: