IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Cuba ransomware group claims attack on Montenegro government

The double extortion specialists claim to have stolen the data days before Montenegro announced a sustained and co-ordinated series of cyber attacks targeting it from Russia

The Cuba ransomware group has claimed an attack on Montenegro’s government which reported last week that it was facing Russia-linked cyber attacks.

It claimed to have received the files belonging to the Montenegrin government’s Department for Public Relations on 19 August 2022.

The files allegedly contained information such as financial documents, correspondence with bank employees, balance sheets, tax documents, compensation, and source code.

IT Pro has not been able to verify the legitimacy of the files since Cuba’s download link appears to be broken at the time of writing.

Montenegro’s Agency for National Security (ANB) said on Saturday that it was “under a hybrid war at the moment” days after its public administration minister tweeted that “certain services” had been taken offline amid ‘multiple’ cyber attacks.

The minister, Maras Dukaj, on Thursday also likened the “series of cyber attacks” to those sustained in 2015 and 2016 in the country.

Dukaj did not explicitly define which attacks he was referring to, but he may have been referring to the Russia-linked cyber attacks targeting the nation before it joined NATO in 2017.

The Montenegrin ANB website is also currently unreachable at the time of writing, as is the website for the Department for Public Relations which Cuba has claimed to have successfully breached.

Montenegro was once considered a pro-Russia ally but since it joined NATO in 2017, it has been considered an enemy of the country that’s now invading Ukraine.

Russia also added Montenegro to its list of ‘enemy states’ alongside other Western allies such as the UK and other nations that publicly oppose the Kremlin’s goals.

Coordinated Russian services are behind the cyber attack,” the ANB said in a statement to Associated Press. “This kind of attack was carried out for the first time in Montenegro and it has been prepared for a long period of time.”

Government official Dusan Polovic said, “I can say with certainty that this attack that Montenegro is experiencing these days comes directly from Russia.”

The cyber attacks appear to be targeting a broad selection of public entities in the country, including government services, and transportation and telecommunications sectors, its government said.

A number of the government’s servers have been targeted but the attacks so far have not resulted in any damage or data loss.

Who is behind the Cuba ransomware gang?

Very few cyber security companies have been confident enough to attribute the ransomware organisation to a specific country, however, Profero is one to have linked it to Russia.

The company said it has observed the Russian language on its website and during its negotiations with victims. 

Cuba’s current ransomware leak site is written entirely in English, although some minor spelling and grammar issues can be observed.

Related Resource

Escape the ransomware maze

Conventional endpoint protection tools just aren’t the best defence anymore

Whitepaper cover with overhead image of a man sat at a deska with a computer in the centre of a maze in the shadowsFree Download

The US Federal Bureau of Investigation (FBI) said in a 2021 report that the group had compromised at least 49 organisations, including target operating critical infrastructure, netting nearly $50 million (£43 million) in revenue.

The double extortion ransomware group is thought to have targeted organisations in Europe, North and South America, and Asia in the past and experienced a resurgence between March and April 2022, according to Trend Micro.

Cuba ransomware is often delivered as a final-stage payload in cyber attacks involving the Hancitor malware downloader in email-based attack campaigns.

Additional tools often associated with these attacks are the use of the Mimikatz credential-stealing malware and the oft-abused Cobalt Strike penetration testing toolkit.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download


Ransomware now strikes one in 40 organisations per week, Check Point finds

Ransomware now strikes one in 40 organisations per week, Check Point finds

27 Jul 2022
What is cyber warfare?

What is cyber warfare?

20 May 2022
Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022

Most Popular

Empowering employees to truly work anywhere

Empowering employees to truly work anywhere

22 Nov 2022
Salesforce co-CEO Bret Taylor resigns with cryptic parting message
Business operations

Salesforce co-CEO Bret Taylor resigns with cryptic parting message

1 Dec 2022
The top 12 password-cracking techniques used by hackers

The top 12 password-cracking techniques used by hackers

14 Nov 2022