The Underground ransomware is likely spread by the RomCom group (also known as Storm-0978). The group exploits the Microsoft Office and Windows HTML RCE vulnerability (CVE-2023-36884). Other methods, such as phishing emails and access via Initial Access Brokers (IABs), may also be used.
- Shadow Copies Deletion: It removes all shadow copies to prevent file recovery:
- bash
- Copy code
- vssadmin.exe delete shadows /all /quiet
- RDP Session Limits: Sets a 14-day limit on Remote Desktop sessions to maintain persistence:
- bash
- Copy code
- reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / f
- SQL Server Service Stop: Halts the MS SQL Server service to disrupt operations:
- bash
- Copy code
- net.exe stop MSSQLSERVER /f /m
- Ransom Note Deployment: Drops a ransom note named “!!readme!!!.txt” in directories containing encrypted files.
- File Encryption: The ransomware encrypts files without altering their extensions, making it harder to visually identify encrypted files. It avoids encrypting critical system files (e.g., .sys, .exe, .dll) to maintain system functionality.
- Log and File Deletion: It creates and runs a script (temp.cmd) to delete the original ransomware file and clear Windows Event logs, complicating forensic analysis.
- Data Leak Site: The ransomware group maintains a site where they post stolen data from their victims, spanning industries such as construction, pharmaceuticals, and manufacturing. As of July 2024, they have listed 16 victims.
- Telegram Channel: The group also uses a Telegram channel to distribute stolen data, with links to files hosted on Mega, a cloud storage service.
File Information
├── 9d41b2f7c07110fb855c62b5e7e330a597860916599e73dd3505694fd1bbe163 enc getswin x64 exe
├── 9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f exe
├── cc80c74a3592374341324d607d877dcf564d326a1354f3f2a4af58030e716813 exe
├── d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666 exe
└── eb8ed3b94fa978b27a02754d4f41ffc95ed95b9e62afb492015d0eb25f89956f exe
No comments:
Post a Comment