Pages

Monday, September 2, 2024

2024-08-29 UNDERGROUND Ransomware Samples





The Underground ransomware is likely spread by the RomCom group (also known as Storm-0978). The group exploits the Microsoft Office and Windows HTML RCE vulnerability (CVE-2023-36884). Other methods, such as phishing emails and access via Initial Access Brokers (IABs), may also be used.

    • Shadow Copies Deletion: It removes all shadow copies to prevent file recovery:
    • bash
    • Copy code
    • vssadmin.exe delete shadows /all /quiet
    • RDP Session Limits: Sets a 14-day limit on Remote Desktop sessions to maintain persistence:
    • bash
    • Copy code
    • reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / f
    • SQL Server Service Stop: Halts the MS SQL Server service to disrupt operations:
    • bash
    • Copy code
    • net.exe stop MSSQLSERVER /f /m
    • Ransom Note Deployment: Drops a ransom note named “!!readme!!!.txt” in directories containing encrypted files.
  • File Encryption: The ransomware encrypts files without altering their extensions, making it harder to visually identify encrypted files. It avoids encrypting critical system files (e.g., .sys, .exe, .dll) to maintain system functionality.
  • Log and File Deletion: It creates and runs a script (temp.cmd) to delete the original ransomware file and clear Windows Event logs, complicating forensic analysis.
  • Data Leak Site: The ransomware group maintains a site where they post stolen data from their victims, spanning industries such as construction, pharmaceuticals, and manufacturing. As of July 2024, they have listed 16 victims.
  • Telegram Channel: The group also uses a Telegram channel to distribute stolen data, with links to files hosted on Mega, a cloud storage service.





File Information


├── 9d41b2f7c07110fb855c62b5e7e330a597860916599e73dd3505694fd1bbe163 enc getswin x64 exe 
├── 9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f exe 
├── cc80c74a3592374341324d607d877dcf564d326a1354f3f2a4af58030e716813 exe 
├── d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666 exe 
└── eb8ed3b94fa978b27a02754d4f41ffc95ed95b9e62afb492015d0eb25f89956f exe 

No comments:

Post a Comment