Threat Research

Ransomware Insights: Underground Trends from FortiGuard Labs

Fortinet

FortiGuard Labs outlines Underground ransomware, which encrypts files on Windows and demands a ransom for decryption, deployed by the RomCom group (Storm-0978). The report covers its infection methods, victim profiles, and Fortinet protections against it. #UndergroundRansomware #RomCom #Storm-0978 #CVE-2023-36884

Keypoints

  • Underground ransomware targets Microsoft Windows and encrypts victim files, demanding a decryptor in exchange for payment.
  • The attack group associated with Underground is RomCom (Storm-0978).
  • The first observed activity was in July 2023, with a data leak site posting victims starting mid‑July 2023.
  • Exploited vulnerability: CVE-2023-36884 (Microsoft Office/Windows HTML RCE).
  • Infection vectors include email and Initial Access Brokers (IABs); phishing remains a common delivery path.
  • Victim data leaks span diverse industries (construction, pharmaceuticals, banking, etc.), with 16 victims listed so far.
  • Fortinet protections and best practices emphasize up-to-date antivirus/IPS, phishing awareness, backups, and network security enhancements.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Execution of malicious scripts or commands to perform actions on the system. Quote: ‘The ransomware deletes shadow copies with the following command: vssadmin.exe delete shadows /all /quiet’ and ‘reg.exe add HKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / f’ and ‘net.exe stop MSSQLSERVER /f /m’
  • [T1112] Modify Registry – The ransomware modifies registry settings (MaxDisconnectionTime) to affect session behavior. Quote: ‘reg.exe add HKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / f’
  • [T1490] Inhibit System Recovery – Shadow copies are deleted to hinder recovery. Quote: ‘vssadmin.exe delete shadows /all /quiet’
  • [T1489] Service Stop – The ransomware stops a critical service (MSSQLSERVER) to disrupt operations. Quote: ‘net.exe stop MSSQLSERVER /f /m’
  • [T1486] Data Encrypted for Impact – Files are encrypted on Windows machines and ransom notes are dropped. Quote: ‘Like most ransomware, this ransomware encrypts files on victims’ Windows machines and demands a ransom to decrypt them via dropped ransom notes.’
  • [T1070.001] Indicator Removal on Host: Clear Windows Event Logs – Logs are deleted to cover tracks. Quote: ‘Obtains a list of Windows Event logs and deletes them’
  • [T1566] Phishing – Infection vectors include email and initial access brokers. Quote: ‘Infection Vector: Email and Initial Access Brokers (IAB)’

Indicators of Compromise

  • [SHA2] Underground ransomware file IOCs – 9543f71d7c4e394223c9d41ccef71541e1f1eb0cc76e8fa0f632b8365069af64, 9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f and other 4 hashes

Read more: https://feeds.fortinet.com/~/903758144/0/fortinet/blog/threat-research~Ransomware-Roundup-Underground

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint