Cuba ransomware group claims attack on Montenegro government
The double extortion specialists claim to have stolen the data days before Montenegro announced a sustained and co-ordinated series of cyber attacks targeting it from Russia


The Cuba ransomware group has claimed an attack on Montenegro’s government which reported last week that it was facing Russia-linked cyber attacks.
It claimed to have received the files belonging to the Montenegrin government’s Department for Public Relations on 19 August 2022.
The files allegedly contained information such as financial documents, correspondence with bank employees, balance sheets, tax documents, compensation, and source code.
IT Pro has not been able to verify the legitimacy of the files since Cuba’s download link appears to be broken at the time of writing.
Montenegro’s Agency for National Security (ANB) said on Saturday that it was “under a hybrid war at the moment” days after its public administration minister tweeted that “certain services” had been taken offline amid ‘multiple’ cyber attacks.
The minister, Maras Dukaj, on Thursday also likened the “series of cyber attacks” to those sustained in 2015 and 2016 in the country.
Dukaj did not explicitly define which attacks he was referring to, but he may have been referring to the Russia-linked cyber attacks targeting the nation before it joined NATO in 2017.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
The Montenegrin ANB website is also currently unreachable at the time of writing, as is the website for the Department for Public Relations which Cuba has claimed to have successfully breached.
Montenegro was once considered a pro-Russia ally but since it joined NATO in 2017, it has been considered an enemy of the country that’s now invading Ukraine.
Russia also added Montenegro to its list of ‘enemy states’ alongside other Western allies such as the UK and other nations that publicly oppose the Kremlin’s goals.
Coordinated Russian services are behind the cyber attack,” the ANB said in a statement to Associated Press. “This kind of attack was carried out for the first time in Montenegro and it has been prepared for a long period of time.”
Government official Dusan Polovic said, “I can say with certainty that this attack that Montenegro is experiencing these days comes directly from Russia.”
The cyber attacks appear to be targeting a broad selection of public entities in the country, including government services, and transportation and telecommunications sectors, its government said.
A number of the government’s servers have been targeted but the attacks so far have not resulted in any damage or data loss.
Who is behind the Cuba ransomware gang?
Very few cyber security companies have been confident enough to attribute the ransomware organisation to a specific country, however, Profero is one to have linked it to Russia.
The company said it has observed the Russian language on its website and during its negotiations with victims.
Cuba’s current ransomware leak site is written entirely in English, although some minor spelling and grammar issues can be observed.
RELATED RESOURCE
Escape the ransomware maze
Conventional endpoint protection tools just aren’t the best defence anymore
The US Federal Bureau of Investigation (FBI) said in a 2021 report that the group had compromised at least 49 organisations, including target operating critical infrastructure, netting nearly $50 million (£43 million) in revenue.
The double extortion ransomware group is thought to have targeted organisations in Europe, North and South America, and Asia in the past and experienced a resurgence between March and April 2022, according to Trend Micro.
Cuba ransomware is often delivered as a final-stage payload in cyber attacks involving the Hancitor malware downloader in email-based attack campaigns.
Additional tools often associated with these attacks are the use of the Mimikatz credential-stealing malware and the oft-abused Cobalt Strike penetration testing toolkit.

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.
-
Can the UK ban ransomware payments?
ITPro Podcast Attempts to cut off ransomware group profits could instead harm businesses
-
Intel to axe 24,000 roles, cancels factory plans in sweeping cost-cutting move
News Despite better than expected revenue in its Q2 results, the chip giant is targeting a leaner operation
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operators
News A host of ransomware strains have been neutralized, servers seized, and key players indicted