REF9019

ref9019 refers to an organized, financially motivated ransomware and extortion group associated with Cuba Ransomware. Reported targeting includes small and medium-sized retailers as well as North American and European retailers and manufacturers. The group steals sensitive information and uses a "name and shame" extortion model in addition to ransomware encryption. Observed activity was traced to Windows servers running Microsoft Exchange Server, with reporting noting behavior consistent with exploitation of Exchange vulnerabilities including ProxyLogon and prior reporting citing ProxyLogon and ProxyShell for initial access, although the initial access vector was not definitively confirmed. Post-compromise activity included creation of a hidden local user named Mysql, addition of that account to Administrators and Remote Desktop Users, and enabling RDP for persistence and access. Tooling and tradecraft directly mentioned include Metasploit Meterpreter, SystemBC, GoToAssist, NetSupport Manager, Cobalt Strike, BUGHATCH, Mimikatz, PsExec, and DefenderControl. Elastic reported SystemBC was used as a SOCKS5 backdoor capable of communicating over Tor; NetSupport Manager and GoToAssist were used as remote access tooling; Cobalt Strike beacon infrastructure used image-like URLs for C2; and BUGHATCH was launched via PowerShell stagers that downloaded Agent32.bin. Credential theft included SAM hash dumping via Meterpreter and use of Mimikatz SEKURLSA::LogonPasswords. Privilege escalation attempts included use of zero.exe to exploit Zerologon against a domain controller. Lateral movement and remote execution included PsExec. Defense evasion included disabling Microsoft Defender with DefenderControl and maintaining it via a scheduled task. The campaign also involved data exfiltration to support extortion before deployment of Cuba ransomware. The content also states BUGHATCH is associated with Cuba ransomware and referenced by Mandiant as part of UNC2596 reporting.