Kaspersky researchers have been closely monitoring the activities of the Cuba ransomware group, also known as Tropical Scorpius [6], since late 2020 [6]. This notorious cybercriminal gang has targeted organizations worldwide across various industries, including government, retail [2], finance [2], logistics [2], and manufacturing sectors [2]. They employ sophisticated tactics, such as exploiting software vulnerabilities and social engineering [2] [6], to gain unauthorized access to victim networks.


The Cuba ransomware group [1] [2] [3] [4] [5] [6], previously known as Tropical Scorpius [6], has recently deployed advanced malware [1] [2] [5], including the BUGHATCH backdoor malware [3], which has managed to evade detection. Operating as a single-file ransomware strain [3], Cuba poses a challenge for detection due to its unique characteristics. The group constantly refines its techniques [3], employing data encryption and tailored attacks [3]. They have targeted a wide range of industries and have successfully compromised organizations worldwide.

Trend Micro Research has observed the resurgence of the Cuba ransomware group with a new variant of malware. Since February 2020 [4], the group has attacked 49 organizations in critical infrastructure sectors [4], amassing over $43.9 million in ransom payments [4]. The latest variant of the ransomware includes updates aimed at optimizing execution [4], minimizing unintended system behavior [4], and providing technical support to victims who choose to negotiate [4]. Cuba targets companies in various industries and employs a combination of public and proprietary tools, regularly updating their toolkit to exploit security vulnerabilities.

In addition to encrypting victims’ files and demanding ransom [6], Cuba adapts its attacks to extract sensitive information [2], such as financial documents [2], bank records [2], company accounts [2], and source code [2]. Software development companies are particularly at risk [2]. Despite being under scrutiny [2], the group remains dynamic and constantly refines its techniques [2].


The activities of the Cuba ransomware group have had significant impacts on organizations worldwide, with millions of dollars in ransom payments and compromised data. It is crucial for organizations to follow best practices in protecting against ransomware and to stay informed and proactive against evolving cyber-threats. Mitigations should include regular software updates, vulnerability assessments, and employee training on social engineering tactics. The Cuba ransomware group’s ability to adapt and refine its techniques highlights the need for continuous vigilance and proactive cybersecurity measures.


[1] https://usa.kaspersky.com/about/press-releases/2023cuba-ransomware-gang-deploys-new-malware
[2] https://t21.pe/ransomware-cuba-organizaciones-todo-mundo
[3] https://www.infosecurity-magazine.com/news/cuba-ransomware-undetectable/
[4] https://www.trendmicro.com/enus/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html
[5] https://www.kaspersky.com/about/press-releases/2023_dont-scratch-a-mosquito-bite-cuba-ransomware-deploys-new-malware
[6] https://www.cybersecurity-review.com/news-september-2023/analyzing-cuba-ransomware/