Security & Compliance Automation Platform
UnderDefense MAXI is the solution to day-to-day cybersecurity problems of IT leaders and teams. It builds your 24/7 business protection together with you on the driver’s seat.
UnderDefense MAXI Platform
UnderDefense Secures Top Honor at the 2025 Global Infosec Awards
We’re proud of being a winner at the 2025 Global Infosec Awards…
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
24/7 Threat Detection & MAXImum Responsiveness
Our human-led MDR service combines expert insight and automation and AI for fast, precise threat response. Get full context in 2 minutes and cut MTTC to 15, staying ahead of ransomware and other attacks.
Calculate your MDR price
Pay only for the services you actually need, with no hidden costs.
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Spot threats faster and respond smarter than tools alone
24/7 MDR and SOC services led by award-winning security experts. We act as an extension to your team or as a fully remote team, providing detailed threat insights and actionable responses to secure your environment immediately.
UnderDefense is an AWS Partner
We’re excited to announce that UnderDefense is now an AWS partner and available on AWS Marketplace…
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Cuba ransomware recovery team on standby
Cuba ransomware has targeted US critical infrastructure since 2019, exploiting CVE-2022-24521 and CVE-2023-27532 to breach financial, government, and energy organisations and demanding multi-million-dollar ransoms. Do not attempt decryption or negotiation alone — isolate affected systems immediately and contact UnderDefense's incident response team.
Average Mttc
Ransom-Free recovery rate
Avoided in ransom
Global availability
Systems restored
IR experts
Ransomware cases resolved
IR experience
Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:
Contact us now for urgent ransomware response assistance, 24/7
Get Help Now
Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.
Momentum Leader in MDR
Best Support in MDR & IR
Managed Detection and Response (MDR)
Top Cybersecurity Company 2025
Best Managed Detection and Response Service
#4 of 184 teams Splunk Boss of the SOC
Best Of Cybersecurity Awards for Q1 2025
AWS Partner
Splunk Manage Premier Partner
Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.
Taking the right steps in the first moments after a Cuba attack can make a huge difference and help you make a full recovery. Request 24/7 Cuba ransomware recovery services to decrypt your data and maximize your chances of restoring operations.
Cuba infections are immediately identifiable by the .cuba file extension and ransom note named !Cuba!.txt placed on desktop and root directories. Initial compromise often traces to VPN exploitation or internet-facing application vulnerabilities affecting industrial networks. Once inside, Cuba performs extensive reconnaissance targeting Windows domain controllers and critical process networks before deploying encryption across the infrastructure.
Cuba employs AES-256-CBC for file encryption with RSA-2048 asymmetric key wrapping. Some older samples used weaker RSA-1024, but current variants confirm 2048-bit strength. Encryption speed optimized for large enterprise networks with thousands of systems.
Operates as hybrid between independent group and affiliate-driven attacks. Core team (Tropical Scorpius) maintains infrastructure; affiliates conduct reconnaissance and initial compromise. Cuba operators target only critical infrastructure (energy, utilities, water treatment), avoiding opportunistic victims. Suggests ideological component or government-backed targeting.
Dual extortion with emphasis on operational leverage: Cuba threatens to disrupt critical services (power grids, water treatment) if ransom is unpaid. SCADA/HMI screenshot publication common. Some variants include direct threats: "We will shut down your power distribution systems." Psychological impact on utilities exceeds typical ransomware.
Windows-exclusive: domain controllers, HMI (Human Machine Interface) systems, engineering workstations, Windows-based SCADA servers. Industrial protocols (Modbus, Profibus) not directly affected but may be controlled via compromised Windows systems.
!Cuba!.txt contains Tor onion URL, Bitcoin wallet, and operational threat language: "We have access to your critical systems. Power will be disabled in X hours if not paid." Contact instructions include direct communication via ProtonMail.
No public decryption tool available. CISA continues monitoring for potential key recovery mechanisms; current analysis unlikely to yield decryption capability.
File Extensions
.cuba
Ransom Note Filenames
!Cuba!.txt, CUBA_RANSOM.txt, README_CUBA.txt
Cuba Process Hashes
Known malware samples tracked; execution typically via: cuba.exe, system.exe, service.exe, svc.exe. Windows Event Logs show unusual system service creation and execution patterns.
Cuba Tools
– EDR Disabling: Windows Defender disable via Group Policy, Windows Update Service termination
– Credential Dumping: Mimikatz (advanced variants), LSASS memory dumps, Domain Admin credential theft
– Reconnaissance: Network mapper (custom tools for SCADA discovery), Shodan API usage, ICS/SCADA protocol scanning
– Exfiltration: Rclone, mega.nz integration, custom SSH tunnels
– Lateral Movement: Pass-the-Hash, SMB relay, Kerberoasting, targeted spear-phishing of SCADA staff
– Malware: Qbot for initial delivery, custom backdoors, ICS-aware reconnaissance tools
Most Common Red Flag
Process execution logs showing: ICS scanning tools (nmap -sV targeting common industrial ports 502/Modbus, 20000/DNP3), LSASS dump attempts, Domain Admin enumeration commands: `whoami /priv`, `net group “Domain Admins” /domain`, followed by RDP lateral movement to isolated SCADA networks. Firewall rule creation observed: `netsh advfirewall firewall add rule`
Attack vector | % of Cuba incidents | Notes |
VPN Exploitation (CVE-2022-24521, CVE-2023-27532) | 50% | Unpatched remote access solutions |
RDP Brute Force | 30% | Weak credentials on internet-facing systems |
Supply Chain/MSP Compromise | 15% | Third-party infrastructure provider access |
Phishing to ICS Staff | 5% | Social engineering targeting SCADA technicians |
Energy sector targets: major utility operators in US, Europe, and Australia affected. Estimated 30+ critical infrastructure operators compromised since 2019. Ransom amounts: $1–$10M+ (correlates with utility scale). Payment statistics: 60% paid to avoid service disruption; 30% restored from backups; 10% unresolved with partial service loss. One US power distribution operator reported 8-hour outage due to Cuba encryption of SCADA servers.
Cuba cannot be decrypted without attacker cooperation. Removal focuses on attacker access elimination and service restoration: immediately isolate all infected SCADA/HMI systems; kill persistence (scheduled tasks, WMI subscriptions); remove backdoors and C2 communication channels; restore critical systems from air-gapped backups; conduct domain-wide credential reset; implement segmentation isolating SCADA networks from enterprise networks.
Critical infrastructure recovery priorities differ from standard enterprise: 1) Restore essential services first (power generation, water treatment) to minimize public impact, 2) Segment recovery (restore SCADA first, then supporting systems), 3) Test restoration in isolated lab environment before production deployment, 4) Maintain manual controls during restoration (critical for utilities), 5) Deploy ICS-specific monitoring post-recovery. Recovery timelines: 3–14 days for major utilities depending on system complexity and backup availability.
Documented demands: $1,000,000–$10,000,000+. Amounts directly correlate with utility scale and criticality. Small municipal utilities: $1–$2M; major regional power operators: $5–$10M+. Payment rates: 60% (threat of service disruption more persuasive than typical ransomware). Bitcoin payments tracked on blockchain.
10 reasons why you should choose the UnderDefense ransomware recovery consulting services:
Get Help NowCuba is a sophisticated ransomware operation targeting critical infrastructure (energy, utilities, water treatment, transportation) since 2019. The malware encrypts files using AES-256-CBC with RSA-2048 wrapping and employs dual extortion: encryption plus threats to disrupt essential services. Cuba is linked to Tropical Scorpius threat group (UNC2596) and exclusively targets Windows environments in mission-critical sectors.
Attribution remains uncertain, but operational focus on critical infrastructure and ideological emphasis (threats to disrupt essential services rather than pure financial extortion) suggest possible state-sponsor involvement. Intelligence agencies investigate potential connections to foreign governments; no definitive attribution published.
Cuba’s targeting of utilities, energy, and water treatment suggests deliberate strategic choice. Ransom threats gain leverage through potential service disruption: a power utility cannot afford extended downtime. This differs from typical ransomware targeting high-value but non-essential enterprises. The strategy maximizes ransom probability through operational threat rather than data sensitivity.
CVE-2022-24521: authentication bypass in Cisco and other VPN solutions allowing unauthenticated access to internal networks. CVE-2023-27532: remote code execution in industrial control system interfaces. Cuba leverages these to gain initial footholds on internet-facing infrastructure, then pivots to SCADA networks. Patch management failure on industrial networks enables exploitation.
No decryption tool exists. Recovery requires either negotiation, law enforcement key recovery (rare), or restoration from air-gapped backups. Critical infrastructure operators should prioritize backup strategies over negotiation given public safety implications.
Cuba publishes SCADA screenshots and threatens to disrupt service. Actual disruption capability unconfirmed, but threat is credible given operational access. Payment decisions involve CISA coordination and law enforcement guidance. Public safety impacts (loss of power, water) create significant decision pressure on utility operators.
1) Implement defense-in-depth on ICS/SCADA networks: air-gapped from enterprise; 2) Patch internet-facing systems immediately (prioritize CVE-2022-24521, CVE-2023-27532); 3) Implement MFA on all remote access; 4) Deploy network segmentation isolating critical systems; 5) Maintain air-gapped offline backups verified quarterly; 6) Conduct ICS-specific security audits (NERC CIP compliance); 7) Monitor for unusual SCADA protocol activity; 8) Implement anomaly detection on HMI systems; 9) Coordinate with CISA for threat intelligence.
1) Declare emergency; activate manual control procedures for essential services; 2) Isolate SCADA networks from enterprise immediately; 3) Notify CISA (within 1 hour for utilities); 4) Preserve forensic evidence from HMI systems and domain controllers; 5) Assess encryption scope: which SCADA servers affected; 6) Verify backup integrity (assume SCADA backups may be compromised); 7) Begin recovery in isolated lab environment; 8) Deploy ICS-specific monitoring and anomaly detection; 9) Engage third-party ICS incident response team; 10) Brief board and public stakeholders; 11) Monitor for re-compromise for 6 months.
Cuba’s attack chain requires pivoting from enterprise network to SCADA systems. Segmentation (air-gapped networks, restricted data flows) breaks this chain. A properly segmented utility with air-gapped SCADA would experience encryption only on enterprise systems, leaving critical processes operational. Cuba targets utilities with poor network segmentation, making this the single most effective preventative control.
Tropical Scorpius is the Mandiant-designated threat group attributed to Cuba ransomware operations. The group demonstrates advanced ICS knowledge, targeting tactics, and specialized reconnaissance of utilities. Whether Tropical Scorpius is a single government-backed group or coalition remains unclear; what’s certain is their focus on critical infrastructure disruption through ransomware.