Cuba ransomware (Bonus: Decryption Steps) - Virus Removal Guide

Cuba virus Removal Guide

What is Cuba ransomware?

Cuba ransomware – a ransom-urging malware form that targets English-speaking people

Cuba malwareCuba ransomware is a file-encrypting cyber threat and ransom-demanding virus that targets English-speaking people

Cuba ransomware is a notorious parasite that uses the RSA-2048 encryption[1] cipher to lock up all the files and documents that are found on the infected Windows computer system. Users have been complaining about this malware adding the .cuba appendix to the filenames of the encrypted documents and including FIDEL.CA as the header of the files. Afterward, Cuba ransomware delivers the ransom note named !!FAQ for Decryption!!.txt or !!! ALL YOUR FILES ARE ENCRYPTED !!!.txt that is written in the English language. The criminals encourage the victims to contact them via email address and discuss all the conditions that are related to the ransom price and transfer process. These people also state that the victim's databases, ftp server, and file server were downloaded to their own servers.

Cuba ransomware tries to gather as many ransom payments as possible. The malware developers claim that the users should not rename their encrypted files or try to recover them with the help of other programs as this can result in permanent information loss. However, note that this type of information is false and using other software might help you to save your files. Nevertheless, you should think if it is worth paying the criminals as they can easily scam you.

Name Cuba ransomware
Type Ransomware/malware
Danger level High. The ransomware virus targets personal files and locks them by using a unique key. Also, it can include other malicious pieces of software such as trojans into the computer system
Encryption This piece of malware locks up valuable files and documents by employing the RSA-2048 encryption cipher. It might execute specific commands that search for encryptable components once in a while
Ransom note The infection provides the !!FAQ for Decryption!!.txt or !!! ALL YOUR FILES ARE ENCRYPTED !!!.txt ransom note that is written in the English language
Ransom demands Even though the cybercriminals do not provide particular ransom demands as more information should be revealed after contacting the crooks, these people are likely to urge for anything between $50 and $2000 in Bitcoin or another cryptocurrency that ensures the anonymity of the entire process
Contacts email address is provided as a way to contact the cybercriminals
Removal If you have been dealing with this cyber threat lately, you should take action against it as quickly as possible. For the deletion process, use trustworthy antimalware software only
Data recovery Paying the cybercriminals is not the best option as you can get scammed very easily. Rather than taking such a risk, you can travel to the end of this article where you will find some alternative data recovery tips
Fix tool If you have discovered any damaged areas on your Windows computer, you can try repairing them with a tool such as FortectIntego

Cuba virus does not provide any particular information related to the ransom demands. However, hackers can ask for a price anywhere from $50 to $2000 or even more. Besides, these people are likely to urge for a cryptocurrency transfer, mostly, Bitcoin. These types of payment processes do not require any personally-identifiable information and the cybercriminals can stay anonymous all the time. This is how the entire ransom message looks like:

Good day. All your files are encrypted. For decryption contact us.
Write here [ ]
We also inform that your databases, ftp server and file server were downloaded by us to our servers.

* Do not rename encrypted files.
* Do not try to decrypt your data using third party software,
it may cause permanent data loss.

Cuba ransomware developers cannot be trusted as they might seek to scam you. These people do not care about your needs as their main goal is to collect income from you and distribute their malicious creation towards others.

Cuba ransomware can include malicious processes in the Windows Task Manager and camouflage itself as a legitimate task so that it could remain unrecognized for a longer period of time. Furthermore, you might also see other directories filled with suspicious entries (Windows Registry) and malware-laden files (AppData folder, the User's folder, desktop, etc.).

Continuously, Cuba ransomware might run a module that scans the entire system for encryptable files once in a while to be sure that no components are missed and kept unlocked. The ransomware virus uses the RSA 2048-bit encryption system to lock up components with the .cuba appendix. For example, if you recently had a file named work.docx, it will be renamed to word.docx.cuba after the encryption process.

Cuba ransomwareCuba ransomware is a dangerous malware form that uses the RSA-2048 encryption cipher to lock up all the documents and files found on the infected Windows computer system

To harden the recovery of your files, Cuba ransomware might run the vssadmin.exe delete shadows /all /Quiet command via PowerShell service. This task allows permanently removing the Shadow Volume Copies of your locked files and you are disabled to use any type of data recovery software that requires the Shadow Copies to remain available.

Furthermore, Cuba ransomware might try to damage the Windows hosts file[2] to prevent the victim from accessing any security-related websites and forums where he/she might get reliable information on the malware removal process or some data recovery tips. Do not forget to eliminate the hosts file while you are uninstalling the ransomware virus, otherwise, the access will remain blocked.

Cuba ransomware stores both encryption and decryption keys on remote servers that are unreachable for anyone else except the developers themselves. However, this is still not a reason to pay the demanded ransom price. You can check other alternative data recovery techniques that our security experts have added to the end of this page.

Note that Cuba ransomware can be even more dangerous than expected. The malware can be capable of disabling the antivirus protection on the infected Windows computer and turning it vulnerable to other infections. This way you can get your device easily attacked by another ransomware or cyber threats such as trojans.

If you remove Cuba ransomware as soon as you see the first signs of the infection, you will have a bigger chance of avoiding additional malware appearance. The elimination process requires getting rid of all malicious content that has been added by the ransomware virus. For this purpose, employ only reliable security software.

After Cuba ransomware removal, you should try scanning your computer system and looking for possibly-damaged objects. If the malware has included other infections to your computer system, there might be some altered areas or software residing on it. If you are looking for a tool that could help you to fix things, you can try employing FortectIntego.

Cuba ransomware virusCuba ransomware is a malicious piece of software that can get delivered through cracked software, email spam, hacked RDP, malvertising, etc.

The delivery possibilities of malicious payload

Technology specialists from[3] claim that ransomware viruses are sneaky cyber threats that are hidden in software cracks that are loaded to peer-to-peer networks such as The Pirate Bay, eMule, and BitTorrent. You should avoid visiting these types of web sources and get all of your software and services from reliable developers only.

Furthermore, ransomware infections are intensively pushed through email spam messages and their malicious attachments that come in the format of word documents, excel sheets, and others. The criminals target random people by pretending to be from reliable healthcare, banking organizations, shipping companies, and other well-known firms.

You have to take your security seriously when it comes to email spam.[4] Always try to identify the sender (if the email address is not some type of a questionable one), check the message's text for possible grammar and style mistakes. Note that reliable companies would not send letters that are filled with writing mistakes. Also, do not open any unknown attachments. If you have already downloaded one, scan if with a malware detection tool at first.

Continuously, the malicious payload is delivered through hacked RDPs. The malware developers can easily access RDP that contains weak security passwords or none at all. So, it is very important to think of strong and reliable passwords that include different letters, symbols, and numbers. In addition, ransomware infections can also be spread through malvertising advertisements, infectious hyperlinks, exploit kits, fake flash player or JS updates.

Cuba ransomware removal instructions

If Cuba ransomware has shown up on your Windows computer system, you should deal with this cyber threat as soon as possible before it brings other malicious infections to your device. If you are having some trouble to detect this infection, it might be blocking your antivirus software. In order to diminish all malicious tasks that are executing on your computer, you should boot it to Safe Mode with Networking or activate the System Restore feature as shown below.

Afterward, you can continue with the Cuba ransomware removal process. It is best to use a trustworthy product as manual elimination includes the risk of making more damage to your computer system or skipping some crucial components that need to be deleted, otherwise, the ransomware infection will show up soon again.

When you remove Cuba ransomware from your Windows PC, you should check the entire system for possible damage that might have been brought by the malware. Accomplish such a task by scanning the entire machine with [d2[ or Malwarebytes. If these products find any corrupted areas, you can try fixing them with repair software such as FortectIntego.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Cuba virus. Follow these steps

Manual removal using Safe Mode

To deactivate all of the malicious changes on your Windows computer system and disable the ransomware virus, you should boot the System in Safe Mode with Networking. The entire process is explained below:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Cuba using System Restore

To diminish malicious settings on your Windows device and bring it back to its previous position, opt for the System Restore feature. If you do not know how to complete this type of step, look at the following guide:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Cuba. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Cuba removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Cuba from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Cuba, you can use several methods to restore them:

Employing Data Recovery Pro might help you to restore some of your files.

If you have been looking for something that would help you to restore some of your files back to their previous positions, you can try employing this piece of software.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Cuba ransomware;
  • Restore them.

Use Windows Previous Versions feature to recover data.

If you have enabled the System Restore function in the past, this method might seem very useful to you. However, you have to complete every step exactly as required in order to reach the best results possible.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

The Shadow Explorer tool might help you to recover some components.

Try using this software if the ransomware virus has made an effect on your files and documents. Keep in mind that this method will not work properly if the malware had erased the Shadow Volume Copies of your encrypted files.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Cybersecurity experts are currently working on the decryption key.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Cuba and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Stream videos without limitations, no matter where you are

There are multiple parties that could find out almost anything about you by checking your online activity. While this is highly unlikely, advertisers and tech companies are constantly tracking you online. The first step to privacy should be a secure browser that focuses on tracker reduction to a minimum.

Even if you employ a secure browser, you will not be able to access websites that are restricted due to local government laws or other reasons. In other words, you may not be able to stream Disney+ or US-based Netflix in some countries. To bypass these restrictions, you can employ a powerful Private Internet Access VPN, which provides dedicated servers for torrenting and streaming, not slowing you down in the process.

Data backups are important – recover your lost files

Ransomware is one of the biggest threats to personal data. Once it is executed on a machine, it launches a sophisticated encryption algorithm that locks all your files, although it does not destroy them. The most common misconception is that anti-malware software can return files to their previous states. This is not true, however, and data remains locked after the malicious payload is deleted.

While regular data backups are the only secure method to recover your files after a ransomware attack, tools such as Data Recovery Pro can also be effective and restore at least some of your lost data.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Ugnius Kiguolis
About the company Esolutions