Cuban Ransomware Group Claims Montenegrin Government Attack

The Cuba ransomware group claimed responsibility for an attack against the Montenegrin government, which reported last week that it was facing Russian-linked cyberattacks.

He claimed to have received the files belonging to the Public Relations Department of the Montenegrin government on August 19, 2022.

The files allegedly contained information such as financial documents, correspondence with bank employees, balance sheets, tax documents, compensation, and source code.

IT professional was unable to verify the legitimacy of the files as the Cuba download link appears to be broken at the time of writing.

Montenegro’s National Security Agency (ANB) said on Saturday it was “under a hybrid war at the moment” days after its public administration minister tweeted that “certain services” had gone offline amid “multiple” cyberattacks. .

The minister, Maras Dukaj, also on Thursday compared the “series of cyber attacks” with those sustained in 2015 and 2016 in the country.

Dukaj did not explicitly define which attacks he was referring to, but he may have been referring to Russia-linked cyberattacks targeting the nation before it joined NATO in 2017.

The Montenegrin ANB website is also currently unavailable at the time of this writing, as is the Department of Public Relations website that Cuba claims to have successfully breached.

Montenegro was once considered a pro-Russian ally, but since joining NATO in 2017, it has been considered an enemy of the country that is now invading Ukraine.

Russia also added Montenegro to its list of “enemy states” along with other Western allies such as the UK and other nations that publicly oppose the Kremlin’s goals.

Russian coordinated services are behind the cyberattack,” the ANB said in a statement to Associated Press. “This type of attack was carried out for the first time in Montenegro and has been prepared for a long period of time.”

Government official Dusan Polovic said: “I can say with certainty that this attack that Montenegro is experiencing these days comes directly from Russia.”

The cyberattacks appear to be targeting a wide selection of public entities in the country, including government services and the transportation and telecommunications sectors, his government said.

Various government servers have been attacked, but the attacks so far have not resulted in any damage or data loss.

Who is behind the Cuba ransomware gang?

Very few cybersecurity companies have been confident enough to attribute the ransomware organization to a specific country, however, Profero is one of those that has linked it to Russia.

The company said it has noted the Russian language on its website and during its negotiations with victims.

The current Cuba ransomware leak site is written entirely in English, although some minor spelling and grammar issues can be noted.

The US Federal Bureau of Investigation (FBI) said in a 2021 report that the group had compromised at least 49 organisations, including targeted operational critical infrastructure, netting almost $50m (£43m) in revenue.

The double-extortion ransomware group is believed to have targeted organizations in Europe, North and South America, and Asia in the past and experienced a resurgence between March and April 2022, according to Trend Micro.

Cuba ransomware is often delivered as an end-stage payload in cyberattacks involving Hancitor malware downloader in email-based attack campaigns.

Additional tools often associated with these attacks are the use of the Mimikatz credential-stealing malware and the frequently abused Cobalt Strike penetration testing toolkit.