The first sample of RomCom ransomware was observed in early July 2023 on a publicly available file scanning site, about the same time as the first victim posted on its data leak site on 13 July 2023. Like most ransomware, this ransomware encrypts files on victims' Windows machines and demands a ransom to decrypt them via dropped ransom notes.
Infection Vector - Online reports indicate that the Russia-based RomCom group, or Storm-0978, is deploying the Underground ransomware. This threat group is known to exploit CVE-2023-36884 (Microsoft Office and Windows HTML RCE Vulnerability), which could be the infection vector for the ransomware.[1]
FortiGuard Labs published an Outbreak Alert on CVE-2023-36884 on 13 July 2024.
Outbreak Alert: Microsoft Office and Windows HTML RCE Vulnerability - The group may use other common infection vectors such as email and purchasing access from an Initial Access Broker (IAB).
Attack Method - Once executed, the Underground ransomware deletes shadow copies with the following command:
- exe delete shadows /all /quiet
The ransomware sets the maximum time that a RemoteDesktop/TerminalServer session can remain active on the server to 14 days (14 days after the user disconnects) using the following command:
reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / f
It then stops the MS SQL Server service with the following command:
net.exe stop MSSQLSERVER /f /m
The ransomware then creates and drops a ransom note named “!!readme!!!.txt”:
Figure 1: The Underground ransomware ransom note
While the ransomware encrypts files, it does not change or append file extensions.
Figure 2: A text file before file encryption
Figure 3: A text file after file encryption
It also avoids encrypting files with the following extensions:
.sys |
.exe |
.dll |
.bat |
.bin |
.cmd |
.com |
.cpl |
.gadget |
.inf1 |
.ins |
.inx |
.isu |
.job |
.jse |
.lnk |
.msc |
.msi |
.mst |
.paf |
.pif |
.ps1 |
.reg |
.rgs |
.scr |
.sct |
.shb |
shs |
.u3p |
.vb |
.vbe |
.vbs |
.vbscript |
.ws |
.wsh |
.wsf |
The ransomware creates and executes temp.cmd, which performs the following actions:
- Deletes the original ransomware file
- Obtains a list of Windows Event logs and deletes them
- Victimology and Data Leak Site
The Underground ransomware has a data leak site that posts victim information, including data stolen from victims. Currently, the data leak site lists 16 victims, with the most recent victim posted on 3 July 2024. Below is a breakdown of the victims and their verticals:
Post Date |
Location of Victim |
Vertical |
2024/07/03 |
USA |
Construction |
2024/07/01 |
France |
Pharmaceuticals |
2024/06/17 |
USA |
Professional Services |
2024/05/27 |
USA |
Banking |
2024/05/15 |
USA |
Medicine |
2024/05/01 |
USA |
Industry |
2024/04/09 |
USA |
Business Services |
2024/04/09 |
USA |
Construction |
2024/03/25 |
USA |
Manufacturing |
2024/03/06 |
Korea |
Manufacturing |
2024/02/12 |
Spain |
Manufacturing |
2024/02/02 |
Germany |
Industry |
2023/07/31 |
Slovakia |
Business Services |
2024/07/18 |
Taiwan |
Industry |
2024/07/18 |
Singapore |
Manufacturing |
2024/07/14 |
Canada |
Manufacturing |
Figure 4: The data leak site for Underground ransomware
The data leak site also includes a drop-down box with a list of industries the ransomware group is targeting or is allowed to target.
Figure 5: One of the victims of the data leak site
The Underground ransomware group also created a Telegram channel on 21 March 2024.
Figure 6: The Underground ransomware Telegram channel
According to the Telegram channel, the ransomware group has made victims' stolen information available on Mega, a cloud storage service provider that is being abused
Figure 7: Telegram channel containing links to the stolen information on Mega
IOCs
Underground Ransomware File IOCs
SHA2 |
Note |
9543f71d7c4e394223c9d41ccef71541e1f1eb0cc76e8fa0f632b8365069af64 |
Underground ransomware |
9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f |
|
eb8ed3b94fa978b27a02754d4f41ffc95ed95b9e62afb492015d0eb25f89956f |
|
9d41b2f7c07110fb855c62b5e7e330a597860916599e73dd3505694fd1bbe163 |
|
cc80c74a3592374341324d607d877dcf564d326a1354f3f2a4af58030e716813 |
|
d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666 |
This article is shared at no charge and is for educational and informational purposes only.
We want to thank Fortinet Labs for this report. They have been providing excellent collection and analysis for many years, and this is yet another example. Red Sky Alliance provides Cyber Threat Analysis and Intelligence Services for our clients. We provide valuable indicators of compromised information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefing
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.fortinet.com/blog/threat-research/ransomware-roundup-underground?lctg=141970831
Comments