What to do if you're hit by ransomware?

Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:

1
Do NOT fix it yourself
2
Disconnect affected systems
3
Call us +1 332 331 8700

Contact us now for urgent ransomware response assistance, 24/7

Get Help Now
Frame

Experts. Finalists. Winners.

Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.

Momentum Leader in MDR

Best Support in MDR & IR

Managed Detection and Response (MDR)

Top Cybersecurity Company 
2025

Best Managed Detection and Response Service

#4 of 184 teams Splunk Boss of the SOC

Best Of Cybersecurity Awards for Q1 2025

AWS Partner

Splunk Manage Premier Partner

Image (11) (1)

Why you shouldn’t attempt 
to fix it alone

Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.

Taking the right steps in the first moments after a Cuba attack can make a huge difference and help you make a full recovery. Request 24/7 Cuba ransomware recovery services to decrypt your data and maximize your chances of restoring operations.

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

Cuba ransomware statistics & facts

Cuba Decryptor
Cuba IOCs
Cuba Attack Vectors
Case Outcomes
How to Remove Cuba Ransomware?
How to Recover from Cuba Ransomware?
Ransom Amounts
Cuba Decryptor

No public decryption tool available. CISA continues monitoring for potential key recovery mechanisms; current analysis unlikely to yield decryption capability.

Cuba IOCs

File Extensions
.cuba

Ransom Note Filenames
!Cuba!.txt, CUBA_RANSOM.txt, README_CUBA.txt

Cuba Process Hashes
Known malware samples tracked; execution typically via: cuba.exe, system.exe, service.exe, svc.exe. Windows Event Logs show unusual system service creation and execution patterns.

Cuba Tools
– EDR Disabling: Windows Defender disable via Group Policy, Windows Update Service termination
– Credential Dumping: Mimikatz (advanced variants), LSASS memory dumps, Domain Admin credential theft
– Reconnaissance: Network mapper (custom tools for SCADA discovery), Shodan API usage, ICS/SCADA protocol scanning
– Exfiltration: Rclone, mega.nz integration, custom SSH tunnels
– Lateral Movement: Pass-the-Hash, SMB relay, Kerberoasting, targeted spear-phishing of SCADA staff
– Malware: Qbot for initial delivery, custom backdoors, ICS-aware reconnaissance tools

Most Common Red Flag
Process execution logs showing: ICS scanning tools (nmap -sV targeting common industrial ports 502/Modbus, 20000/DNP3), LSASS dump attempts, Domain Admin enumeration commands: `whoami /priv`, `net group “Domain Admins” /domain`, followed by RDP lateral movement to isolated SCADA networks. Firewall rule creation observed: `netsh advfirewall firewall add rule`

Cuba Attack Vectors

Attack vector

% of Cuba incidents

Notes

VPN Exploitation (CVE-2022-24521, CVE-2023-27532)

50%

Unpatched remote access solutions

RDP Brute Force

30%

Weak credentials on internet-facing systems

Supply Chain/MSP Compromise

15%

Third-party infrastructure provider access

Phishing to ICS Staff

5%

Social engineering targeting SCADA technicians

Powered By WP Table Builder
Case Outcomes

Energy sector targets: major utility operators in US, Europe, and Australia affected. Estimated 30+ critical infrastructure operators compromised since 2019. Ransom amounts: $1–$10M+ (correlates with utility scale). Payment statistics: 60% paid to avoid service disruption; 30% restored from backups; 10% unresolved with partial service loss. One US power distribution operator reported 8-hour outage due to Cuba encryption of SCADA servers.

How to Remove Cuba Ransomware?

Cuba cannot be decrypted without attacker cooperation. Removal focuses on attacker access elimination and service restoration: immediately isolate all infected SCADA/HMI systems; kill persistence (scheduled tasks, WMI subscriptions); remove backdoors and C2 communication channels; restore critical systems from air-gapped backups; conduct domain-wide credential reset; implement segmentation isolating SCADA networks from enterprise networks.

How to Recover from Cuba Ransomware?

Critical infrastructure recovery priorities differ from standard enterprise: 1) Restore essential services first (power generation, water treatment) to minimize public impact, 2) Segment recovery (restore SCADA first, then supporting systems), 3) Test restoration in isolated lab environment before production deployment, 4) Maintain manual controls during restoration (critical for utilities), 5) Deploy ICS-specific monitoring post-recovery. Recovery timelines: 3–14 days for major utilities depending on system complexity and backup availability.

Ransom Amounts

Documented demands: $1,000,000–$10,000,000+. Amounts directly correlate with utility scale and criticality. Small municipal utilities: $1–$2M; major regional power operators: $5–$10M+. Payment rates: 60% (threat of service disruption more persuasive than typical ransomware). Bitcoin payments tracked on blockchain.

Our customers say it best

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

Frequently asked questions

What is Cuba Ransomware?

Cuba is a sophisticated ransomware operation targeting critical infrastructure (energy, utilities, water treatment, transportation) since 2019. The malware encrypts files using AES-256-CBC with RSA-2048 wrapping and employs dual extortion: encryption plus threats to disrupt essential services. Cuba is linked to Tropical Scorpius threat group (UNC2596) and exclusively targets Windows environments in mission-critical sectors.

Is Cuba Linked to a Nation-State?

Attribution remains uncertain, but operational focus on critical infrastructure and ideological emphasis (threats to disrupt essential services rather than pure financial extortion) suggest possible state-sponsor involvement. Intelligence agencies investigate potential connections to foreign governments; no definitive attribution published.

Why Does Cuba Target Critical Infrastructure Specifically?

Cuba’s targeting of utilities, energy, and water treatment suggests deliberate strategic choice. Ransom threats gain leverage through potential service disruption: a power utility cannot afford extended downtime. This differs from typical ransomware targeting high-value but non-essential enterprises. The strategy maximizes ransom probability through operational threat rather than data sensitivity.

How Does Cuba Exploit CVE-2022-24521 and CVE-2023-27532?

CVE-2022-24521: authentication bypass in Cisco and other VPN solutions allowing unauthenticated access to internal networks. CVE-2023-27532: remote code execution in industrial control system interfaces. Cuba leverages these to gain initial footholds on internet-facing infrastructure, then pivots to SCADA networks. Patch management failure on industrial networks enables exploitation.

Can Cuba Ransomware Be Decrypted?

No decryption tool exists. Recovery requires either negotiation, law enforcement key recovery (rare), or restoration from air-gapped backups. Critical infrastructure operators should prioritize backup strategies over negotiation given public safety implications.

What Happens if Power/Water Utilities Don't Pay Cuba Ransom?

Cuba publishes SCADA screenshots and threatens to disrupt service. Actual disruption capability unconfirmed, but threat is credible given operational access. Payment decisions involve CISA coordination and law enforcement guidance. Public safety impacts (loss of power, water) create significant decision pressure on utility operators.

How Can Critical Infrastructure Operators Prevent Cuba?

1) Implement defense-in-depth on ICS/SCADA networks: air-gapped from enterprise; 2) Patch internet-facing systems immediately (prioritize CVE-2022-24521, CVE-2023-27532); 3) Implement MFA on all remote access; 4) Deploy network segmentation isolating critical systems; 5) Maintain air-gapped offline backups verified quarterly; 6) Conduct ICS-specific security audits (NERC CIP compliance); 7) Monitor for unusual SCADA protocol activity; 8) Implement anomaly detection on HMI systems; 9) Coordinate with CISA for threat intelligence.

What is the SCADA-Specific Incident Response Checklist?

1) Declare emergency; activate manual control procedures for essential services; 2) Isolate SCADA networks from enterprise immediately; 3) Notify CISA (within 1 hour for utilities); 4) Preserve forensic evidence from HMI systems and domain controllers; 5) Assess encryption scope: which SCADA servers affected; 6) Verify backup integrity (assume SCADA backups may be compromised); 7) Begin recovery in isolated lab environment; 8) Deploy ICS-specific monitoring and anomaly detection; 9) Engage third-party ICS incident response team; 10) Brief board and public stakeholders; 11) Monitor for re-compromise for 6 months.

Why Is Segmentation Critical for Cuba Defense?

Cuba’s attack chain requires pivoting from enterprise network to SCADA systems. Segmentation (air-gapped networks, restricted data flows) breaks this chain. A properly segmented utility with air-gapped SCADA would experience encryption only on enterprise systems, leaving critical processes operational. Cuba targets utilities with poor network segmentation, making this the single most effective preventative control.

What is Tropical Scorpius (UNC2596)?

Tropical Scorpius is the Mandiant-designated threat group attributed to Cuba ransomware operations. The group demonstrates advanced ICS knowledge, targeting tactics, and specialized reconnaissance of utilities. Whether Tropical Scorpius is a single government-backed group or coalition remains unclear; what’s certain is their focus on critical infrastructure disruption through ransomware.