Ransomware Roundup - Underground

Sept. 2, 2024, 4:40 p.m.

Description

The Underground ransomware, first observed in July 2023, targets Windows machines by encrypting files and demanding ransom. Attributed to the Russia-based RomCom group, it exploits CVE-2023-36884 and other common infection vectors. The ransomware deletes shadow copies, modifies RemoteDesktop settings, and stops MS SQL Server. It drops a ransom note and encrypts files without changing extensions. The group's data leak site lists 16 victims across various industries and locations. FortiGuard Labs provides protection against this threat through antivirus detection and other security solutions.

External References

https://www.fortinet.com/blog/threat-research/ransomware-roundup-underground
https://otx.alienvault.com/pulse/66d5e61d99583054e2f271e8
Tags
windows
encryption
2024-09-02
romcom
data leak
CVE-2023-36884
storm-0978
underground

Date

  • Created: Sept. 2, 2024, 4:21 p.m.
  • Published: Sept. 2, 2024, 4:21 p.m.
  • Modified: Sept. 2, 2024, 4:40 p.m.

Indicators

  • 9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f
  • 9d41b2f7c07110fb855c62b5e7e330a597860916599e73dd3505694fd1bbe163
  • 9543f71d7c4e394223c9d41ccef71541e1f1eb0cc76e8fa0f632b8365069af64
  • d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666
Download all indicators here!

Attack Patterns

  • Underground
  • RomCom
  • T1543.003
  • T1070.001
  • T1132.001
  • T1490
  • T1074
  • T1059.003
  • T1071.001
  • T1562.001
  • T1204.002
  • T1486
  • T1083
  • T1055
  • T1027
  • T1112
  • T1566
  • CVE-2023-36884

Additional Informations

  • Professional Services
  • Construction
  • Healthcare
  • Finance
  • Manufacturing
  • Slovakia
  • Singapore
  • Korea, Democratic People's Republic of
  • Taiwan
  • Korea, Republic of
  • Spain
  • Canada
  • France
  • Germany