Skip to main content
Microsoft Security Intelligence
Published May 27, 2022 | Updated Jun 03, 2022


Detected by Microsoft Defender Antivirus

Aliases: No associated aliases


Microsoft Defender Antivirus detects and protects this threat.

This ransomware encrypts the data on your disk and can stop you from using your device or accessing your data. It encrypts files, renders them inaccessible, and demands payment for the decryption key.

Cuba is a family of ransomware tracked as DEV-0671, which uses a combination of Exchange vulnerabilities, PowerShell scripts, and legitimate remote management software to deploy the ransomware payload onto compromised device. Cuba ransomware, like many other Ransomware-as-a-Service (RaaS) groups, encrypts files, exfiltrates data, and threatens to release them if the ransom demand is not met.

For more information about ransomware, read this article:

There is no one-size-fits-all response if you have been targeted by ransomware. To recover files, you can restore backups. There is no guarantee that paying the ransom will give you access to your files.

Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.

  • Immediately isolate the affected device, and any additional device with Cuba ransomware-related alerts. If Cuba ransomware has been launched, it is likely that the device is under complete attacker control
  • Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts
  • Investigate how the affected endpoint might have been compromised. Check for the presence of other malware
  • Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts
  • Initiate an incident response process, focusing on responding to possible data exfiltration and ransomware deployment, both of which attackers might have already performed. Contact your incident response team. If you don't have one, contact Microsoft support for investigation and remediation services

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.