Critical infrastructure owners and operators have been put on high alert following the FBI’s December 3 flash notice warning against the Cuba ransomware group. Already, the group has attacked 49 entities across five critical infrastructure industries (finance, government, healthcare, manufacturing, and IT). Thus far, the attackers have made almost $44M from ransom payments—more than half of the $74M collectively demanded. 

Cuba ransomware is distributed through Hancitor malware, a loader known for dropping and executing Remote Access Trojans (RATs) and other types of ransomware into victims’ networks, which can then destroy or publicize data if a ransom is not paid. The attackers have used phishing emails, compromised credentials, Microsoft Exchange vulnerabilities, and legitimate Remote Desktop Protocol (RDP) tools to gain initial access. They have also leveraged MimiKatz, an open source penetration-testing tool for Windows computers, to steal credentials and then leverage RDP to log into compromised systems. 

The news follows a year defined by an increase in cyberattacks. Ransomware groups are increasingly targeting protocols like RDP with malware to compromise vulnerable systems, as happened for instance in DarkSide’s hack of the Colonial Pipeline in May 2021. More than ever, it’s clear that traditional, perimeter-based security strategies are insufficient and unable to protect the operations that employ them.

In contrast, Xage’s zero trust remote access (ZTRA) solution prevents these types of ransomware attacks. Leveraging limited, identity-based access to all assets in an operation, multi-factor authentication for each access point, and regularly rotated credentials, ZTRA provides highly granular control. Specifically, ZTRA terminates exposed direct-access protocols such as RDP and VNC, instead providing a secure HTTPS-based interface. Moreover, in the event of an attack, zero trust prevents malware from traversing between IT and OT systems, ensuring that operations can continue functioning undisturbed. 

Along with the flash notice, the FBI has set forth a number of recommendations for companies to reduce their risk of compromise by the Cuba ransomware. These recommendations include the use of layers of network separation, implementation of just-in-time access methods, and limited use of SMB; all of which are covered under ZTRA technology. The FBI also recommends the use of strong passwords, which ZTRA automatically implements for all endpoints. 

Ransomware attackers have historically targeted holiday seasons as strategic times to launch cyberattacks. As such, it’s imperative that companies in the critical infrastructure sector invest in zero trust architecture—including remote access solutions—to ensure they won’t be the next victims. To learn more about how industrial operations can deploy zero trust remote access, now available via the cloud, visit https://xage.com/products/zero-trust-remote-access-solution/.