Ransomware Roundup - Underground

Sept. 2, 2024, 4:40 p.m.

Description

The Underground ransomware, first observed in July 2023, targets Windows machines by encrypting files and demanding ransom. Attributed to the Russia-based RomCom group, it exploits CVE-2023-36884 and other common infection vectors. The ransomware deletes shadow copies, modifies RemoteDesktop settings, and stops MS SQL Server. It drops a ransom note and encrypts files without changing extensions. The group's data leak site lists 16 victims across various industries and locations. FortiGuard Labs provides protection against this threat through antivirus detection and other security solutions.

Date

Published: Sept. 2, 2024, 4:21 p.m.

Created: Sept. 2, 2024, 4:21 p.m.

Modified: Sept. 2, 2024, 4:40 p.m.

Indicators

9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f

9d41b2f7c07110fb855c62b5e7e330a597860916599e73dd3505694fd1bbe163

9543f71d7c4e394223c9d41ccef71541e1f1eb0cc76e8fa0f632b8365069af64

d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666

Attack Patterns

Underground

RomCom

T1543.003

T1070.001

T1132.001

T1490

T1074

T1059.003

T1071.001

T1562.001

T1204.002

T1486

T1083

T1055

T1027

T1112

T1566

CVE-2023-36884

Additional Informations

Professional Services

Construction

Healthcare

Finance

Manufacturing

Slovakia

Singapore

Korea, Democratic People's Republic of

Taiwan

Korea, Republic of

Spain

Canada

France

Germany