Cuba Overview

Cuba ransomware, AKA Fidel, was first discovered in late 2019 and rose to prominence in 2022. Cuba’s impact doubled year-over-year, compromising hundreds of victims—in 2022, it collected more than $60 million in ransom, prompting CISA and the FBI to issue flash alerts. Cuba ransomware’s official Tor-dot-onion-based website features a Cuban nationalist theme despite intel pointing to the group’s Russian membership: communications contain typical Russian misspellings. Cuba ransomware is affiliated with the small but disproportionately high-impact threat actors RomCom and Industrial Spy.

Cuba’s use of standard commercial software packing techniques is considered less sophisticated than state-sponsored malware, indicating Cuba is likely the product of a small but talented group of profit-seeking individuals. “Packing” refers to compressing software and required libraries into a single binary executable that is difficult to reverse-engineer or detect by antivirus scanners.

Source