Menu
Browse

Cyber Threat Actor: Cuba

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Crime Syndicate
Brazil
9 incidents
Profile

The Cuba ransomware group, also known as Cuba Gang or Cuba Ransomware, has been active since at least 2019 and is publicly associated with Brazil as its known location. The group operates under the Cuba ransomware strain and has claimed responsibility for a series of attacks targeting various organizations worldwide. Public reporting indicates that the group uses a Tor‑based leak site to announce breaches and to threaten the release of stolen data unless demands are met.

The Cuba group’s observed targets span multiple sectors, including healthcare providers such as Rock County Public Health Department, Professional Healthcare Management, and Forefront Dermatology; government entities like the Agência Nacional de Águas e Saneamento Básico in Brazil and Montenegro’s parliamentary systems; critical infrastructure related to water resource management; IT services firms; and payment processors such as Automatic Funds Transfer Services. Geographically, incidents have been reported in the United States, Brazil, and Europe. The group’s stated objectives appear to be financial gain through ransom demands and the disruption of victim operations, as evidenced by the encryption of servers, the temporary shutdown of services, and the offer of identity‑theft protection to affected individuals.

Regarding tactics, the Cuba ransomware strain encrypts drives using unauthorized scripts, exfiltrates system and network data—including login credentials—and threatens data leakage, sometimes providing proof of stolen files on its leak site. Initial access has been suspected to stem from malicious attachments sent via customers, as noted in the Ottawa‑area IT services incident. Attribution discussions in open sources link the Cuba group to potential Russian state connections; researchers have associated the group with Russian speakers, the FBI has issued alerts warning of its attacks on critical infrastructure, and analysis by SecurityJoes and Profero suggested the group likely includes Russian speakers while accusing the Russian government of shielding or employing cybercriminals. Representative operations include the 2023 ransomware attack on Rock County Public Health Department that compromised personal data of over 25,000 individuals, the 2023 disruption of Brazil’s water agency systems, and the 2022 claim of responsibility for the Montenegro government breach that allegedly involved the theft of financial records and source code. These incidents illustrate the group’s pattern of ransomware deployment, data extortion, and impact on essential services.

Incidents
Attributed incidents available to members
9 incidents
Sources
Sources available to members
2 sources