GOLD FLAMINGO

GOLD FLAMINGO is a financially motivated cybercriminal threat group responsible for operating Cuba ransomware. Cuba ransomware was first reported in late 2019 and has featured a name-and-shame leak site since at least 2020. In December 2021, the U.S. Federal Bureau of Investigation reported that GOLD FLAMINGO had compromised at least 49 organizations, accumulating around $44 million in ransom payments. The group continued to be busy through 2022 but the rate of victim naming steadily dropped throughout 2023, with apparent gaps in activity lasting as long as three months. The last victim was posted to the Cuba ransomware leak site in early February 2024.

GOLD FLAMINGO initially delivered Cuba ransomware via Chanitor (aka Hancitor) spam campaigns but as of early 2022 was using exploitation of Microsoft Exchange servers as the initial access vector. Other tools used by GOLD FLAMINGO include Cobalt Strike Beacon and ROMCOM RAT for command and control, Mimikatz and Meterpreter for credential harvesting, and RDP for lateral movement and remote access.

Once deployed, Cuba uses a combination of ChaCha20 and RSA algorithms to encrypt files, appending a ".cuba" extension to the files and adding a file header "FIDEL.CA." The ransom note is titled "!!FAQ for Decryption!!.txt". Files excluded from the encryption process include .exe, .dll, .sys, .ini, and .cuba. Cuba terminates processes and services associated with Microsoft Exchange, SQL Server, and virtual machines to increase.

In October 2022, the Ukrainian CERT (CERT-UA) reported targeting of state organizations through spam email campaigns that delivered ROMCOM RAT in likely Russian state-sponsored offensive cyber espionage operations. Other vendors also reported on similar activity. In May 2023, researchers from Blackberry asserted Cuba is "a group working for the Russian government targeting Ukrainian military units and local governments." However, there is no evidence suggesting Cuba ransomware had been deployed in these reported attacks and CTU researchers are unable to corroborate any findings of government direction of GOLD FLAMINGO or its affiliates.

Despite targeting some European government entities with Cuba ransomware, including the national parliament of Montenegro in August 2022, the comparatively low volume of publicly known Cuba ransomware incidents have generally impacted victims in geographies and industries similar to other ransomware families that are operated purely for financial gain. It is possible that GOLD FLAMINGO has engaged in both state-sponsored cyber espionage activity and cybercriminal ransomware deployments, but it is also plausible that the ROMCOM RAT tool is used by more than one group with different motivations.