‘Ransom’ Mega-hackers Are Russian, Say Israeli Cybersecurity Firms

‘Cuba Ransomware’ group found via bitcoin payments, showing crypto-currency transfers aren’t as anonymous as thought

Omer Benjakob
Omer Benjakob
Send in e-mailSend in e-mail
An alert from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency is photographed on Tuesday, April 20, 2021.
An alert from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency is photographed on Tuesday, April 20, 2021. Credit: Jon Elswick,AP
Omer Benjakob
Omer Benjakob

A long-term sophisticated group of cybercriminals popularly known as ‘Cuba Ransomware’ is likely Russian, say Israeli researchers.

An investigation by Israeli cybersecurity firms Profero and Security Joes into attacks by Cuba, which mounts “ransom” attacks against commercial clients, found a number of telltale signs about the hackers’ origin.

In a report published on Wednesday, the firms show that a typo made by the hackers in correspondence with their victims is likely the result of misspelling the Russian word for server.

A custom-made error message in Russian found on a website set up by the Cuba hackers to post data it stole from its victims Credit: Profero, Security Joes

They also found that a website the hackers used to post data belonging to victims that refused to pay the ransom included a custom-made error message that was written in Russian. The report was not independently confirmed by Haaretz.

Ransomware attacks are when hackers take over a victim’s computer and/or data and demand pay to release it. Despite the relatively sophisticated nature of Cuba’s cybercrime operation, the researchers do not believe they are state hackers. “This group is highly secretive even in terms of the dark, shadowy world of hackers. This group is especially zealous about keeping itself off the radar,” explains Omri Segev Moyal of Profero.

“Most Russian cybercriminals pay some local form of graft to be able to operate unharassed by the state, but this group seems to want to operate as a somewhat unknown even in its own world of Russian-speaking hackers,” he adds.

Ransomware hackers generally ask to be paid in bitcoin, which is unregulated and they believe will assure them of anonymity. However, law enforcement is fighting back.

In the U.S., federal investigators said recently that a proposal to register bitcoin accounts would be especially helpful for identifying drug smugglers, human traffickers and terrorists — and ransomware groups. Just last week the U.S. Department of Justice established a government group to tackle ransomware. The proposed new rules, some of which would need Congressional action, mostly are mostly aimed at piercing the anonymity of cryptocurrency transactions.

However, many of the exchanges, which conduct the critical operation of turning cryptocurrency into dollars or other widely accepted currencies, are in countries outside the reach of U.S. regulators.

Cuba too asks for ransom to be paid in bitcoin, but its unique angle was attempting to launder the money through a convoluted array of cryptocurrency exchanges, to hide the payout.

An analysis of how the Cuba hackers attempted to launder the money through a convoluted array of cryptocurrency exchangesCredit: Screen capture

“These are techniques that are more similar to money laundering,” explains Segev Moyal. The Israeli cybersecurity experts’ report shows how a string of purportedly anonymous digital coin exchanges were used to transfer the payout from the initial bitcoin demanded by the hackers, to other cryptocurrencies like Etherium, and then back to bitcoin, meanwhile breaking down the money into smaller amounts which was shuffled through a number of different digital wallets.

According to Reuters, ransomware gangs collected almost $350 million last year, up threefold from 2019. Companies, government agencies, hospitals and school systems are among the victims of ransomware groups, some of which U.S. officials say maintain friendly relations with nation-states including North Korea and Russia. The Ransomware Task Force, a U.S.-led group of public-private experts, are zeroing in on cryptocurrency regulation as the key to combating what Reuters called the scourge of ransomware attacks.

In a report that will be published on Thursday and was seen by Reuters, the taskforce is expected to call for far more aggressive tracking of bitcoin and other cryptocurrencies. While those have won greater acceptance among investors over the past year, they remain the lifeblood of ransomware operators and other criminals who face little risk of prosecution in much of the world.

Reuters contributed to this report

Click the alert icon to follow topics:



Automatic approval of subscriber comments.

Subscribe today and save 40%

Already signed up? LOG IN


Trump and Netanyahu at the White House in Washington, in 2020.

Three Years Later, Israelis Find Out What Trump Really Thought of Netanyahu

German soldier.

The Rival Jewish Spies Who Almost Changed the Course of WWII

Rio. Not all Jewish men wear black hats.

What Does a Jew Look Like? The Brits Don't Seem to Know

Galon. “I’m coming to accomplish a specific mission: to increase Meretz’s strength and ensure that the party will not tread water around the electoral threshold. If Meretz will be large enough, it will be the basis for a Jewish-Arab partnership.” Daniel Tchetchik

'I Have No Illusions About Ending the Occupation, but the Government Needs the Left'

Soldiers using warfare devices made by the Israeli defense electronics company Elbit Systems.

Russia-Ukraine War Catapults Israeli Arms Industry to Global Stage

Flame and smoke rise during an Israeli air strike, amid Israel-Gaza fighting, in Gaza City August 6, 2022.

Israel Should End Gaza Operation Now, if It Can