S0625: Cuba
Analyst context for executives and security teams
Cuba is a Windows-based ransomware family in ATT&CK, described by MITRE as used against financial institutions, technology, and logistics organizations in North and South America and Europe since at least December 2019. Its mapped behaviors matter because they span pre-impact discovery, execution through PowerShell and Windows command shell, stealth through obfuscation and hidden execution, credential-related collection via keylogging, service manipulation, and data encryption for impact. For leaders, this is less about one malware name and more about validating whether Windows ransomware tradecraft would be visible before encryption disrupts operations.
Executive priority
Prioritize Cuba as a ransomware resilience validation case for Windows environments. The decision questions are: can the organization detect discovery and service manipulation before encryption, can IR teams reconstruct activity if files are deleted or payloads are packed/obfuscated, and are backup, service recovery, and evidence-retention processes ready for a disruptive ransomware event? The ATT&CK record supports heightened attention for sectors named in the source description—financial institutions, technology, and logistics—but local exposure should be determined from asset criticality, Windows dependency, telemetry coverage, and recovery readiness.
Technical view
The malware object has no ATT&CK-provided detection text, so SOC and detection engineering work should be driven by the mapped techniques and the Windows platform. Validate visibility for PowerShell and cmd execution, Windows service creation or modification, access token manipulation, process/service/network/share/file discovery, local storage enumeration, ingress tool transfer, hidden windows, reflective code loading, file deletion, keylogging indicators, service stops, and data encryption activity. Because several mapped behaviors are also used by administrators and legitimate software, detection should correlate sequences: discovery across services/processes/network/shares/storage followed by tool transfer or suspicious execution, service changes or stops, stealth behaviors, and encryption-like file activity.
Likely telemetry
- Windows endpoint detection and response events for process creation, command line, parent/child process relationships, and module or memory-loading behavior
- PowerShell logging where enabled, including script block, module, and command invocation evidence
- Windows service control and service configuration change events
- Windows Security events relevant to logon context, privilege use, and token-related anomalies
- File system telemetry for high-volume file modification, encryption-like writes, suspicious renames, and file deletion
Detection direction
- Build detections around behavior chains rather than the Cuba name alone, because ATT&CK provides no official detection guidance and the malware uses common administrative interfaces.
- Tune discovery detections for bursts or unusual combinations of service, process, network configuration, network connection, file, directory, share, language, and storage enumeration on Windows systems.
- Correlate PowerShell or cmd execution with subsequent tool transfer, service creation or modification, service stopping, file deletion, and encryption-like file operations.
- Treat Windows service changes and service stop activity on critical servers as high-value ransomware precursors, while suppressing known maintenance windows and approved administrative tooling.
- Account for stealth blind spots: packed binaries, legitimate-looking names or locations, hidden windows, native API usage, and reflective code loading can reduce reliance on simple file names, hashes, or command-line-only rules.
Mitigation priorities
- Start with recovery resilience: tested offline or protected backups, restoration runbooks, and prioritization of critical Windows services and business systems.
- Reduce execution and scripting risk by constraining unnecessary PowerShell and command shell use, applying least privilege, and monitoring administrative tooling rather than blocking blindly.
- Harden Windows service control by limiting who can create, modify, or stop services and by reviewing service configurations on critical hosts.
- Improve identity and privilege controls around administrative accounts because access token manipulation and keylogging-related behaviors increase the value of strong credential hygiene and rapid credential reset procedures.
- Limit ransomware spread opportunities by reviewing network share exposure, SMB access, and segmentation for systems that hold critical operational data.
Analyst notes and limits
This take is based on the ATT&CK S0625 Cuba malware object, its Windows platform designation, the official description, the McAfee April 2021 reference listed by MITRE, and the supplied 'uses' relationships. The mapped relationships provide useful defensive planning context even though the malware object itself does not specify tactics and does not include ATT&CK detection text.
The supplied ATT&CK fields do not provide indicators, hashes, command examples for Cuba specifically, active campaign status, victim counts, attribution, or guaranteed detection logic. Several related technique descriptions list broad platform applicability, but the malware object itself is Windows-based, so environment-specific validation should focus on Windows unless local intelligence supports more. Local telemetry, asset criticality, and incident history are required to turn this into a precise coverage assessment.
Cuba
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1680 | Local Storage Discovery | Cuba can enumerate local drives, disk type, and disk free space.CitationMcAfee Cuba April 2021 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Cuba can modify services by using the |
| Enterprise | T1027.002 | Software Packing Sub-technique | Cuba has a packed payload when delivered.CitationMcAfee Cuba April 2021 |
| Enterprise | T1106 | Native API | Cuba has used several built-in API functions for discovery like GetIpNetTable and NetShareEnum.CitationMcAfee Cuba April 2021 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | Cuba can check if Russian language is installed on the infected machine by using the function |
| Enterprise | T1486 | Data Encrypted for Impact | Cuba has the ability to encrypt system data and add the ".cuba" extension to encrypted files.CitationMcAfee Cuba April 2021 |
| Enterprise | T1135 | Network Share Discovery | Cuba can discover shared resources using the |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Cuba has used |
| Enterprise | T1070.004 | File Deletion Sub-technique | Cuba can use the command |
| Enterprise | T1620 | Reflective Code Loading | Cuba loaded the payload into memory using PowerShell.CitationMcAfee Cuba April 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Cuba has been dropped onto systems and used for lateral movement via obfuscated PowerShell scripts.CitationMcAfee Cuba April 2021 |
| Enterprise | T1083 | File and Directory Discovery | Cuba can enumerate files by using a variety of functions.CitationMcAfee Cuba April 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | Cuba can download files from its C2 server.CitationMcAfee Cuba April 2021 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Cuba logs keystrokes via polling by using |
| Enterprise | T1027 | Obfuscated Files or Information | Cuba has used multiple layers of obfuscation to avoid analysis, including its Base64 encoded payload.CitationMcAfee Cuba April 2021 |
| Enterprise | T1489 | Service Stop | Cuba has a hardcoded list of services and processes to terminate.CitationMcAfee Cuba April 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | Cuba can retrieve the ARP cache from the local system by using |
| Enterprise | T1049 | System Network Connections Discovery | Cuba can use the function |
| Enterprise | T1007 | System Service Discovery | Cuba can query service status using |
| Enterprise | T1057 | Process Discovery | Cuba can enumerate processes running on a victim's machine.CitationMcAfee Cuba April 2021 |
| Enterprise | T1134 | Access Token Manipulation | Cuba has used |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Cuba has been disguised as legitimate 360 Total Security Antivirus and OpenVPN programs.CitationMcAfee Cuba April 2021 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | Cuba has executed hidden PowerShell windows.CitationMcAfee Cuba April 2021 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0fb4b28cc17d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
McAfee Cuba April 2021
Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
Open source URL -
[2]
Cuba
(Citation: McAfee Cuba April 2021)
-
[3]
mitre-attack S0625Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.