UNC2596 / Cuba Ransomware (also known as Tropical Scorpius) is a state-sponsored advanced persistent threat group attributed to Likely Russian-speaking, active since 2019. The group primarily targets critical infrastructure, financial, government sectors.
Overview & Attribution
Threat cluster operating Cuba ransomware with custom loaders and kernel driver exploits, targeting critical infrastructure and government organizations for double extortion.
UNC2596 has been active since 2019, attributed to Likely Russian-speaking. The group is known for targeting critical infrastructure, financial, government using a combination of custom malware, living-off-the-land techniques, and sophisticated social engineering.
- Attribution: Likely Russian-speaking
- Active since: 2019
- Primary targets: critical infrastructure, financial, government
- Also known as: Tropical Scorpius
Arsenal & Tools
UNC2596 employs a diverse arsenal of custom and shared tooling:
- Cuba ransomware: Custom/shared tooling used in operations
- BUGHATCH: Custom/shared tooling used in operations
- Veeamp: Custom/shared tooling used in operations
- BURNTCIGAR: Custom/shared tooling used in operations
Targeting & Operations
The group focuses on critical infrastructure, financial, government sectors, with operations spanning multiple geographic regions. Their campaigns typically involve carefully crafted spearphishing, strategic watering holes, and exploitation of public-facing applications.
UNC2596 is characterized by persistent, long-term access operations. Once inside a target network, the group establishes multiple redundant persistence mechanisms and moves laterally to high-value systems before beginning data exfiltration.
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1190 Exploit Public-Facing App | ProxyShell/ProxyLogon exploitation |
| Execution | T1059.001 PowerShell | PowerShell post-exploitation |
| Privilege Escalation | T1068 Exploitation for Privilege Escalation | BYOVD kernel exploits |
| Defense Evasion | T1562.001 Disable Security Tools | BURNTCIGAR driver killer |
| Impact | T1486 Data Encrypted for Impact | Cuba ransomware encryption |
| C2 | T1071.001 Web Protocols | Cobalt Strike Beacon C2 |
Notable Campaigns
UNC2596 has been linked to multiple significant campaigns targeting critical infrastructure, financial, government organizations. The group continuously evolves its tooling and infrastructure to evade detection while maintaining persistent access to compromised networks.
- Long-term espionage: Multi-year intrusions into government and defense networks
- Supply chain targeting: Compromise of technology providers and managed service providers
- Zero-day exploitation: Use of previously unknown vulnerabilities for initial access
Detection & Defense
- Threat intelligence integration: Monitor for known UNC2596 IOCs and TTPs in SIEM/EDR platforms
- Network monitoring: Detect C2 patterns associated with Cuba ransomware and related tooling
- Email security: Implement advanced phishing detection for spearphishing campaigns
- Endpoint detection: Deploy behavioral detection rules for known UNC2596 TTPs
- Patch management: Prioritize patching of vulnerabilities known to be exploited by this group
- Lateral movement detection: Monitor for suspicious authentication patterns and admin tool usage
Defend Against UNC2596
Mjolnir Security provides specialized capabilities to detect and respond to UNC2596 operations.
- APT Threat Hunting Proactive hunting for UNC2596 TTPs, tooling artifacts, and infrastructure indicators within your environment.
- Threat Intelligence Continuous monitoring of UNC2596 campaigns and infrastructure changes with actionable intelligence for your defense team.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts