BleepingComputer reports that the Cuba ransomware operation had a resurgence of activity beginning in March with the use of a new variant that poses more risks for organizations being targeted by the group, most of which are in the U.S.
More processes could be terminated by the updated Cuba ransomware variant prior to file encryption, such as MySQL, MS Exchange, and Outlook, while additional directories and file types have been added to the ransomware's exclusion list, a Trend Micro report revealed.
Researchers also found that Cuba ransomware has also included quTox for live victim support in its ransom notes, which now threaten the publication of all stolen information if victims fail to meet attackers' demands within three days.
"While the updates to Cuba ransomware did not change much in terms of overall functionality, we have reason to believe that the updates aim to optimize its execution, minimize unintended system behavior, and provide technical support to the ransomware victims if they choose to negotiate," said Trend Micro.
New malware variant part of Cuba ransomware comeback
BleepingComputer reports that the Cuba ransomware operation had a resurgence of activity beginning in March with the use of a new variant that poses more risks for organizations being targeted by the group, most of which are in the U.S.
Malicious QR code messages have also been increasingly leveraged to compromise the sector, with Office 365 used to send over 15,000 of such messages to education entities, a Microsoft Threat Intelligence report showed.
Misconfigured Magento or OpenCart instances may have been targeted to facilitate the deployment of Mongolian Skimmer, which uses various event-handling methods to ensure extensive compatibility while hiding malicious activity with heavy Unicode character utilization.