Underground Ransomware - RomCom

12924237658?profile=RESIZE_400xThe first sample of RomCom ransomware was observed in early July 2023 on a publicly available file scanning site, about the same time as the first victim posted on its data leak site on 13 July 2023. Like most ransomware, this ransomware encrypts files on victims' Windows machines and demands a ransom to decrypt them via dropped ransom notes.

Infection Vector - Online reports indicate that the Russia-based RomCom group, or Storm-0978, is deploying the Underground ransomware.  This threat group is known to exploit CVE-2023-36884 (Microsoft Office and Windows HTML RCE Vulnerability), which could be the infection vector for the ransomware.[1] 

FortiGuard Labs published an Outbreak Alert on CVE-2023-36884 on 13 July 2024.

Outbreak Alert: Microsoft Office and Windows HTML RCE Vulnerability - The group may use other common infection vectors such as email and purchasing access from an Initial Access Broker (IAB).

Attack Method - Once executed, the Underground ransomware deletes shadow copies with the following command:

  • exe delete shadows /all /quiet

 The ransomware sets the maximum time that a RemoteDesktop/TerminalServer session can remain active on the server to 14 days (14 days after the user disconnects) using the following command:

 reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / f

It then stops the MS SQL Server service with the following command:

net.exe stop MSSQLSERVER /f /m

The ransomware then creates and drops a ransom note named “!!readme!!!.txt”:


12924317894?profile=RESIZE_584xFigure 1: The Underground ransomware ransom note

While the ransomware encrypts files, it does not change or append file extensions.


12924318863?profile=RESIZE_584xFigure 2: A text file before file encryption


12924320455?profile=RESIZE_584xFigure 3: A text file after file encryption

It also avoids encrypting files with the following extensions:

.sys

.exe

.dll

.bat

.bin

.cmd

.com

.cpl

.gadget

.inf1

.ins

.inx

.isu

.job

.jse

.lnk

.msc

.msi

.mst

.paf

.pif

.ps1

.reg

.rgs

.scr

.sct

.shb

shs

.u3p

.vb

.vbe

.vbs

.vbscript

.ws

.wsh

.wsf

The ransomware creates and executes temp.cmd, which performs the following actions:

  • Deletes the original ransomware file
  • Obtains a list of Windows Event logs and deletes them
  • Victimology and Data Leak Site

The Underground ransomware has a data leak site that posts victim information, including data stolen from victims.  Currently, the data leak site lists 16 victims, with the most recent victim posted on 3 July 2024.  Below is a breakdown of the victims and their verticals:

Post Date

Location of Victim

Vertical

2024/07/03

USA

Construction

2024/07/01

France

Pharmaceuticals

2024/06/17

USA

Professional Services

2024/05/27

USA

Banking

2024/05/15

USA

Medicine

2024/05/01

USA

Industry

2024/04/09

USA

Business Services

2024/04/09

USA

Construction

2024/03/25

USA

Manufacturing

2024/03/06

Korea

Manufacturing

2024/02/12

Spain

Manufacturing

2024/02/02

Germany

Industry

2023/07/31

Slovakia

Business Services

2024/07/18

Taiwan

Industry

2024/07/18

Singapore

Manufacturing

2024/07/14

Canada

Manufacturing

12924322663?profile=RESIZE_710xFigure 4: The data leak site for Underground ransomware

The data leak site also includes a drop-down box with a list of industries the ransomware group is targeting or is allowed to target.

 

12924323685?profile=RESIZE_584xFigure 5: One of the victims of the data leak site

The Underground ransomware group also created a Telegram channel on 21 March 2024.
12924331083?profile=RESIZE_400xFigure 6: The Underground ransomware Telegram channel

According to the Telegram channel, the ransomware group has made victims' stolen information available on Mega, a cloud storage service provider that is being abused
12924332058?profile=RESIZE_400xFigure 7: Telegram channel containing links to the stolen information on Mega

IOCs

Underground Ransomware File IOCs

SHA2

Note

9543f71d7c4e394223c9d41ccef71541e1f1eb0cc76e8fa0f632b8365069af64

 

 

Underground ransomware

9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f

eb8ed3b94fa978b27a02754d4f41ffc95ed95b9e62afb492015d0eb25f89956f

9d41b2f7c07110fb855c62b5e7e330a597860916599e73dd3505694fd1bbe163

cc80c74a3592374341324d607d877dcf564d326a1354f3f2a4af58030e716813

d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666

 


This article is shared at no charge and is for educational and informational purposes only.

We want to thank Fortinet Labs for this report.  They have been providing excellent collection and analysis for many years, and this is yet another example.  Red Sky Alliance provides Cyber Threat Analysis and Intelligence Services for our clients.  We provide valuable indicators of compromised information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

 Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefing
https://register.gotowebinar.com/register/5378972949933166424

 

[1] https://www.fortinet.com/blog/threat-research/ransomware-roundup-underground?lctg=141970831

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!