The Underground ransomware is likely spread by the RomCom group (also known as Storm-0978). The group exploits the Microsoft Office and Windows HTML RCE vulnerability (CVE-2023-36884). Other methods, such as phishing emails and access via Initial Access Brokers (IABs), may also be used.

Shadow Copies Deletion: It removes all shadow copies to prevent file recovery:bashCopy codevssadmin.exe delete shadows /all /quietRDP Session Limits: Sets a 14-day limit on Remote Desktop sessions to maintain persistence:bashCopy codereg.exe add HKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / fSQL Server Service Stop: Halts the MS SQL Server service to disrupt operations:bashCopy codenet.exe stop MSSQLSERVER /f /mRansom Note Deployment: Drops a ransom note named “!!readme!!!.txt” in directories containing encrypted files.File Encryption: The ransomware encrypts files without altering their extensions, making it harder to visually identify encrypted files. It avoids encrypting critical system files (e.g., .sys, .exe, .dll) to maintain system functionality.Log and File Deletion: It creates and runs a script (temp.cmd) to delete the original ransomware file and clear Windows Event logs, complicating forensic analysis.Data Leak Site: The ransomware group maintains a site where they post stolen data from their victims, spanning industries such as construction, pharmaceuticals, and manufacturing. As of July 2024, they have listed 16 victims.Telegram Channel: The group also uses a Telegram channel to distribute stolen data, with links to files hosted on Mega, a cloud storage service.

Download

File Information
├── 9d41b2f7c07110fb855c62b5e7e330a597860916599e73dd3505694fd1bbe163 enc getswin x64 exe 
├── 9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f exe 
├── cc80c74a3592374341324d607d877dcf564d326a1354f3f2a4af58030e716813 exe 
├── d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666 exe 
└── eb8ed3b94fa978b27a02754d4f41ffc95ed95b9e62afb492015d0eb25f89956f exe 

Article Link: contagio: 2024-08-29 UNDERGROUND Ransomware Samples

1 post – 1 participant

Read full topic

​2024-08-29 Fortinet Ransomware Roundup – Underground The Underground ransomware is likely spread by the RomCom group (also known as Storm-0978). The group exploits the Microsoft Office and Windows HTML RCE vulnerability (CVE-2023-36884). Other methods, such as phishing emails and access via Initial Access Brokers (IABs), may also be used.Shadow Copies Deletion: It removes all shadow copies to prevent file recovery:bashCopy codevssadmin.exe delete shadows /all /quietRDP Session Limits: Sets a 14-day limit on Remote Desktop sessions to maintain persistence:bashCopy codereg.exe add HKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / fSQL Server Service Stop: Halts the MS SQL Server service to disrupt operations:bashCopy codenet.exe stop MSSQLSERVER /f /mRansom Note Deployment: Drops a ransom note named “!!readme!!!.txt” in directories containing encrypted files.File Encryption: The ransomware encrypts files without altering their extensions, making it harder to visually identify encrypted files. It avoids encrypting critical system files (e.g., .sys, .exe, .dll) to maintain system functionality.Log and File Deletion: It creates and runs a script (temp.cmd) to delete the original ransomware file and clear Windows Event logs, complicating forensic analysis.Data Leak Site: The ransomware group maintains a site where they post stolen data from their victims, spanning industries such as construction, pharmaceuticals, and manufacturing. As of July 2024, they have listed 16 victims.Telegram Channel: The group also uses a Telegram channel to distribute stolen data, with links to files hosted on Mega, a cloud storage service.

Download

Download. Email me if you need the password scheme.

File Information

├── 9d41b2f7c07110fb855c62b5e7e330a597860916599e73dd3505694fd1bbe163 enc getswin x64 exe ├── 9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f exe ├── cc80c74a3592374341324d607d877dcf564d326a1354f3f2a4af58030e716813 exe ├── d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666 exe └── eb8ed3b94fa978b27a02754d4f41ffc95ed95b9e62afb492015d0eb25f89956f exe 

Article Link: contagio: 2024-08-29 UNDERGROUND Ransomware Samples
1 post – 1 participant
Read full topic