GOLD FLAMINGO
Objectives
Aliases
Tools
SUMMARY
GOLD FLAMINGO is a financially motivated cybercriminal threat group responsible for the creation and ongoing operation of Cuba ransomware. Cuba ransomware was first reported in late 2019 and has featured a name and shame leak site since at least 2020. In December 2021, the U.S. Federal Bureau of Investigation reported that GOLD FLAMINGO had compromised at least 49 organizations, accumulating around $44 million in ransom payments. From August 2022 to May 2023, the data of 26 organizations was published on Cuba's website.
GOLD FLAMINGO initially delivered Cuba ransomware via Chanitor (aka Hancitor) spam campaigns but as of early 2022 was using exploitation of Microsoft Exchange servers as the initial access vector. Other tools used by GOLD FLAMINGO include Cobalt Strike Beacon and ROMCOM RAT for command and control, Mimikatz and Meterpreter for credential harvesting, and RDP for lateral movement and remote access.
Once deployed, Cuba uses a combination of ChaCha20 and RSA algorithms to encrypt files, appending a ".cuba" extension to the files and adding a file header "FIDEL.CA." The ransom note is titled "!!FAQ for Decryption!!.txt". Files excluded from the encryption process include .exe, .dll, .sys, .ini, and .cuba. Cuba terminates processes and services associated with Microsoft Exchange, SQL Server, and virtual machines to increase.
In August 2022 the government of Montenegro announced that Cuba ransomware had been deployed against it's systems, including those of the national parliament. In October 2022, the Ukrainian CERT (CERT-UA) reported targeting of state organizations through spam email campaigns which they attributed to GOLD FLAMINGO. Despite these high profile attacks, the comparatively low volume of publicly known Cuba ransomware incidents have impacted victims in geographies and industries similar to other ransomware families. In May 2023, researchers from Blackberry asserted Cuba is "a group working for the Russian government targeting Ukrainian military units and local governments." CTU researchers are unable to corroborate any findings of government direction of GOLD FLAMINGO or its affiliates.
Contact Us
Contact us directly whether your organization needs immediate assistance or you want to discuss your incident readiness, response, and testing needs.