The Russian group RomCom, dubbed Storm-0978, distributes underground ransomware by leveraging the Microsoft Office and Windows HTML RCE zero-day vulnerability identified as CVE-2023-36884.
This ransomware encrypts files on victims’ Windows computers, similar to typical ransomware, and then drops ransom notes demanding a fee to unlock the file’s contents.
The campaign took advantage of CVE-2023-36884, a remote code execution vulnerability exploited by specially crafted Microsoft Office documents delivered via phishing techniques.
Other popular infection vectors that the criminal group might employ include email and buying access from an Initial Access Broker (IAB).
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial
How Is The Attack Executed?
Fortinet states that the Underground ransomware removes shadow copies once it has been executed.
The longest duration for a RemoteDesktop/TerminalServer session to stay active on the server is 14 days, which is the amount of time the ransomware sets (14 days after the user disconnects).
The MS SQL Server service is then terminated. Next, a ransom note named “!!readme!!!.txt” is created and dropped by the ransomware:
“”Your files are currently encrypted, they can be restored to their original state with a decryptor key that only we have”, reads the ransom note.
“The key is in a single copy on our server. Attempting to recover data by your own efforts may result in data loss”.
Particularly, the ransomware creates and runs temp.cmd, which removes the malware’s original file and acquires a list of Windows Event logs before erasing them.
A data leak website maintained by the Underground ransomware publishes victim data, including data that has been stolen from victims.
The most recent victim was added on July 3, 2024, and there are currently 16 victims listed on the data leak website.
Construction, banking, pharmaceuticals, professional services, medicine, manufacturing, and business services from the USA, France, Korea, Spain, Slovakia, Taiwan, Singapore, and Canada are among the industries affected.
Additionally, the data leak website includes a drop-down menu with a list of industries that the ransomware group is targeting or can target.
On March 21, 2024, the Underground ransomware group established a Telegram channel. Cybercriminals have exploited Mega, a cloud storage service provider, to post the information that they have stolen from victims.
Hence, maintaining all AV and IPS signatures up to date is essential due to the ease with which disruptions can occur, the harm they can do to regular operations, the possible harm to an organization’s reputation, and the unsolicited deletion or release of personally identifiable information (PII).
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!