Skip to main content

Home Cuba


  • Also known as: COLDDRAW, Fidel
  • Category: Malware
  • Type: Ransomware
  • Platform: Windows
  • Variants: -
  • Damage potential: Unauthorized access, data theft, installation of undesirable software, malware infection, file corruption and loss, stolen keystrokes, system performance issues, network connectivity problems, browser interference. 


Cuba ransomware is a cyber threat that first appeared in 2019 and has been actively involved in numerous high-profile attacks globally in the last few years. It primarily targets organizations involved in critical infrastructure, such as manufacturing, healthcare, financial services, and governance. 

Possible symptoms

If your device is ever infected with ransomware, you’ll know about it. Your device will be locked, and you’ll get a ransom message. You can recognize Cuba ransomware from its Cuban theme, even though cybersecurity researchers suspect Cuba was created in Russia.

The message will tell you to contact the attackers via the email address provided and warn you that stopping encryption or trying to decrypt the process will damage your data. 

Other symptoms of Cuba ransomware may include:

  • You’ll find files with the .cuba extension. 
  • You’ll be unable to open files you could previously. 
  • Your security programs will be disabled.
  • You’ll likely find a “!!FAQ for Decryption!!.txt” file on your desktop.

Sources of the infection

Like most ransomware, Cuba is packaged and delivered to a device via dropper malware, specifically Hancitor loader malware. It can infect your device through a phishing campaign, unpatched software vulnerabilities, or use stolen credentials to access the network.


Cuba ransomware is constantly evolving, so protecting against it is not always as straightforward as it is with other types of malware. Keeping your software, including your antivirus, up-to-date is crucial. Other ways to protect against the Cuba ransomware include:

  • Use two-factor or multi-factor authentication. This ransomware often uses stolen credentials to access the victim’s network, so it’s important to use additional measures to protect your accounts.
  • Disabling redundant services, command-line, and scripting on employee devices. Limiting permissions on your devices will limit Cuba’s ability to spread across your network.  
  • Do not open links and attachments before you check with the sender. Attackers use stolen credentials to spread malware to the victim’s contacts on social media and email. 
  • Download software updates only from official sources. All malware can be spread through pirated software and fake updates. 
  • Create backups. If you feel like ransomware in your industry is a significant risk, make sure to keep regular backups, preferably more than one copy, in another device or network.  
  • Use Threat Protection Pro. NordVPN’s Threat Protection Pro could prevent Cuba ransomware by scanning files for malware before they’re downloaded. 


To remove Cuba ransomware, make sure to first disconnect your device from your network. Once it’s isolated, restart the device in Safe mode and run a system scan with your antivirus. If you’ve removed the malware from your device successfully, use backups to restore your system.