CUBA Ransomware Malware Analysis

The malware starts by retrieving the active input locale identifier of the victim using the GetKeyboardLayout API. When the Russian language is in the list of supported languages of the machine, the process deletes and terminates itself with a simple command line: c:\system32\cmd.exe c/ del PATH_TO_BINARY without encrypting the file system.

The threat actor included 4 different operations based on the following command-line arguments:

• The network keyword
• An IP keyword
• A path keyword
• The local keyword

Network keyword parameter

When specifying the network keyword, the malware retrieves the Address Resolution Protocol (ARP) table of the machine using the GetIpNetTable Windows API and enumerates the shares of each IP in the ARP table, this information is added to a linked list that will be accessed by the encryption capability, which will be discussed further below in detail.

IP keyword parameter

By specifying an IP address as the first parameter in the command line the malware proceeds by enumerating and encrypting every share found for the specified IP.

Path keyword parameter

The malware will encrypt the local directory contents, or the file provided, as the first parameter of the command-line.

Local keyword parameter

The local keyword is used to encrypt every local volume on the machine, and because the malware targets volumes by their ID, it can encrypt both mounted and unmounted volumes.

CUBA starts by acquiring SeDebugPrivilege and then terminates a hardcoded list of processes and services using a common Windows API (see appendix for list [1], [2]). For some services, the malware first tries to disable the service– indicated by the second parameter of TerminateProcesses::TerminateServiceByName function. This is mainly done to prevent interference with the encryption process by applications that may lock files from external changes, for example, databases.

The malware enumerates all the local volumes and for each volume larger than 1GB it saves the volume’s GUID in a custom linked list. The ransomware utilizes the CriticalSection object to access this linked list for synchronization purposes due to multiple threads accessing the same resource. This helps to avoid two threads encrypting the same file at the same time, a race condition that would corrupt the file.

After preparing a list to encrypt, CUBA ransomware spawns encryption threads with the structure defined below as a parameter. Depending on the command line arguments, the malware starts 4 threads for local encryption or 8 threads for network encryption.

When a thread finishes its task, it will decrement a counter until it reaches 0: lpParameter->NumberOfThreadRunning. When the last thread completes, it will alert the program that the task is done with a call to SetEvent API, which will self delete and terminate the malware.

The malware leverages the symmetric encryption algorithm ChaCha20 to encrypt files and the asymmetric encryption algorithm RSA to protect the ChaCha20 Key and Initialization Vector (IV). The author has utilized a customized version of WolfSSL, an open source SSL/TLS library, to implement this capability. Other samples (2957226fc315f71dc22f862065fe376efab9c21d61bbc374dde34d47cde85658) implemented a similar function using the libtomcrypt library. Other implementations may exist that are not described here.

The ransomware allocates a large custom structure called block that contains all the required encryption information. It then initializes an RsaKey structure with wc_InitRsaKey and decodes an embedded 4096 bit RSA public key in DER format using wc_RsaPublicKeyDecode which it saves to block.PubRsaKey.

Each thread takes an entry from the linked list and starts recursively enumerating files starting from the root of the volume. In the case of a specific directory, the same function is called recursively except for specific directories (see appendix for list). Otherwise, it will ignore the ransom note file !! READ ME !!.txt and files with specific extensions (see appendix for list).

The malware uses wc_RNG_GenerateBlock a WolfSSL function, to randomly generate 44 bytes. The first 32 bytes of that are used as the ChaCha20 key and the other 12 bytes are used as the IV, it then calls a function to initiate the ChaCha20 structure block.chacha20_KeyIv that will be later used to encrypt the file content. At this point, the ransomware is ready to start encrypting and writing to the file.

Before encrypting a file, Cuba ransomware prepends a 1024 byte header, the first 256 bytes are the string FIDEL.CA and some DWORD bytes values, the next 512 bytes are the encrypted ChaCha20 KEY/IV with the public RSA key and the rest is padded with 0.

Before starting the encryption, the malware double checks if the file was already encrypted by comparing the first 8 bytes of the file to the header string FIDEL.CA. If equal, the malware terminates the encryption process as described below.

Then CUBA writes the 1024 byte header and if the file is larger than 2 MB it reads 1 MB of data at a time from the file and encrypts it with the ChaCha20 cipher. Otherwise, it will read and encrypt the entire contents at once.

The malware encrypts the file in 1 MB chunks and, depending on the file’s size, it will skip a preset number of bytes. This is done primarily to speed up the encryption process of large files, below is a table to illustrate.

Finally, it will rename the file by adding the extension .cuba.

Using the MITRE ATT&CK® framework, techniques and sub techniques represent how an adversary achieves a tactical goal by performing an action.

• Data Encrypted for Impact
• Network Share Discovery
• Process Discovery
• Service Stop
• System Information Discovery
• Indicator Removal on Host: File Deletion
• Obfuscated Files or Information: Software Packing
• System Network Configuration Discovery
• System Location Discovery: System Language Discovery
• Data Encrypted for Impact
• Access Token Manipulation

• sqlagent.exe
• sqlservr.exe
• sqlwriter.exe
• sqlceip.exe
• msdtc.exe
• sqlbrowser.exe
• vmwp.exe
• vmsp.exe
• outlook.exe
• Microsoft.Exchange.Store.Worker.exe

• MySQL
• MySQL80
• SQLSERVERAGENT
• MSSQLSERVER
• SQLWriter
• SQLTELEMETRY
• MSDTC
• SQLBrowser
• vmcompute
• vmms
• MSExchangeUMCR
• MSExchangeUM
• MSExchangeTransportLogSearch
• MSExchangeTransport
• MSExchangeThrottling
• MSExchangeSubmission
• MSExchangeServiceHost
• MSExchangeRPC
• MSExchangeRepl
• MSExchangePOP3BE
• MSExchangePop3
• MSExchangeNotificationsBroker
• MSExchangeMailboxReplication
• MSExchangeMailboxAssistants
• MSExchangeIS
• MSExchangeIMAP4BE
• MSExchangeImap4
• MSExchangeHMRecovery
• MSExchangeHM
• MSExchangeFrontEndTransport
• MSExchangeFastSearch
• MSExchangeEdgeSync
• MSExchangeDiagnostics
• MSExchangeDelivery
• MSExchangeDagMgmt
• MSExchangeCompliance
• MSExchangeAntispamUpdate

• \windows\
• \program files\microsoft office\
• \program files (x86)\microsoft office\
• \program files\avs\
• \program files (x86)\avs\
• \$recycle.bin\
• \boot\
• \recovery\
• \system volume information\
• \msocache\
• \users\all users\
• \users\default user\
• \users\default\
• \temp\
• \inetcache\
• \google\

• .exe
• .dll
• .sys
• .ini
• .lnk
• .vbm
• .cuba

Elastic Security has created YARA rules to identify CUBA ransomware activity.