Ransomware Roundup - Underground
Sept. 2, 2024, 4:40 p.m.
Tags
External References
Description
The Underground ransomware, first observed in July 2023, targets Windows machines by encrypting files and demanding ransom. Attributed to the Russia-based RomCom group, it exploits CVE-2023-36884 and other common infection vectors. The ransomware deletes shadow copies, modifies RemoteDesktop settings, and stops MS SQL Server. It drops a ransom note and encrypts files without changing extensions. The group's data leak site lists 16 victims across various industries and locations. FortiGuard Labs provides protection against this threat through antivirus detection and other security solutions.
Date
Published: Sept. 2, 2024, 4:21 p.m.
Created: Sept. 2, 2024, 4:21 p.m.
Modified: Sept. 2, 2024, 4:40 p.m.
Indicators
9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f
9d41b2f7c07110fb855c62b5e7e330a597860916599e73dd3505694fd1bbe163
9543f71d7c4e394223c9d41ccef71541e1f1eb0cc76e8fa0f632b8365069af64
d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666
Attack Patterns
Underground
RomCom
T1543.003
T1070.001
T1132.001
T1490
T1074
T1059.003
T1071.001
T1562.001
T1204.002
T1486
T1083
T1055
T1027
T1112
T1566
CVE-2023-36884
Additional Informations
Professional Services
Construction
Healthcare
Finance
Manufacturing
Slovakia
Singapore
Korea, Democratic People's Republic of
Taiwan
Korea, Republic of
Spain
Canada
France
Germany