www.fortinet.com
Open in
urlscan Pro
2600:1f18:1492:1701:a964:c08d:f5eb:b0c
Public Scan
URL:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-underground
Submission: On September 17 via api from DE — Scanned from CA
Submission: On September 17 via api from DE — Scanned from CA
Form analysis 1 forms found in the DOM
GET /blog/search
<form class="b3-searchbox__form" action="/blog/search" method="get">
<input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs">
<button class="b3-searchbox__icon" aria-label="Search" type="submit">
<svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
<path
d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z"
fill="#fff">
</path>
</svg>
</button>
</form>Text Content
Blog * Categories * Business & Technology * FortiGuard Labs Threat Research * Industry Trends * Life at Fortinet * Partners * Customer Stories * PSIRT Blogs * Business & Technology * FortiGuard Labs Threat Research * Industry Trends * Life at Fortinet * Partners * Customer Stories * PSIRT Blogs * CISO Collective * Subscribe FortiGuard Labs Threat Research RANSOMWARE ROUNDUP - UNDERGROUND By Shunichi Imano, James Slaughter and Fred Gutierrez | August 30, 2024 * Article Contents * Underground Ransomware Overview Infection VectorAttack MethodVictimology and Data Leak Site * Fortinet Protections * IOCs * FortiGuard Labs Guidance Best Practices Include Not Paying a Ransom * How Fortinet Can Help By Shunichi Imano, James Slaughter and Fred Gutierrez | August 30, 2024 FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the Underground ransomware. Affected platforms: Microsoft Windows Impacted parties: Microsoft Windows Impact: Encrypts victims' files and demands ransom for file decryption Severity level: High UNDERGROUND RANSOMWARE OVERVIEW The first sample of Underground ransomware was first observed in early July 2023, on a publicly available file scanning site. This roughly coincides with the timing of the first victim posted on its data leak site on July 13, 2023. Like most ransomware, this ransomware encrypts files on victims' Windows machines and demands a ransom to decrypt them via dropped ransom notes. INFECTION VECTOR Online reports indicate that the Russia-based RomCom group, also known as Storm-0978, is deploying the Underground ransomware. This threat group is known to exploit CVE-2023-36884 (Microsoft Office and Windows HTML RCE Vulnerability), which could be the infection vector for the ransomware. FortiGuard Labs published an Outbreak Alert on CVE-2023-36884 on July 13, 2024. * Outbreak Alert: Microsoft Office and Windows HTML RCE Vulnerability The group may also use other common infection vectors such as email and purchasing access from an Initial Access Broker (IAB). ATTACK METHOD Once executed, the Underground ransomware deletes shadow copies with the following command: * vssadmin.exe delete shadows /all /quiet The ransomware sets the maximum time that a RemoteDesktop/TerminalServer session can remain active on the server to 14 days (14 days after the user disconnects) using the following command: * reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / f It then stops the MS SQL Server service with the following command: * net.exe stop MSSQLSERVER /f /m The ransomware then creates and drops a ransom note named “!!readme!!!.txt”: Figure 1: The Underground ransomware ransom note While the ransomware encrypts files, it does not change or append file extensions. Figure 2: A text file before file encryption Figure 3: A text file after file encryption It also avoids encrypting files with the following extensions: .sys .exe .dll .bat .bin .cmd .com .cpl .gadget .inf1 .ins .inx .isu .job .jse .lnk .msc .msi .mst .paf .pif .ps1 .reg .rgs .scr .sct .shb shs .u3p .vb .vbe .vbs .vbscript .ws .wsh .wsf The ransomware creates and executes temp.cmd, which performs the following actions: * Deletes the original ransomware file * Obtains a list of Windows Event logs and deletes them VICTIMOLOGY AND DATA LEAK SITE The Underground ransomware has a data leak site that posts victim information, including data stolen from victims. Currently, the data leak site lists 16 victims, with the most recent victim posted on July 3, 2024. Below is a breakdown of the victims and their verticals: Post Date Location of Victim Vertical 2024/07/03 USA Construction 2024/07/01 France Pharmaceuticals 2024/06/17 USA Professional Services 2024/05/27 USA Banking 2024/05/15 USA Medicine 2024/05/01 USA Industry 2024/04/09 USA Business Services 2024/04/09 USA Construction 2024/03/25 USA Manufacturing 2024/03/06 Korea Manufacturing 2024/02/12 Spain Manufacturing 2024/02/02 Germany Industry 2023/07/31 Slovakia Business Services 2024/07/18 Taiwan Industry 2024/07/18 Singapore Manufacturing 2024/07/14 Canada Manufacturing Figure 4: The data leak site for Underground ransomware The data leak site also includes a drop-down box with a list of industries that the ransomware group is targeting or is allowed to target. Figure 5: One of the victims on the data leak site The Underground ransomware group also has a Telegram channel that was created on March 21, 2024. Figure 6: The Underground ransomware Telegram channel According to the Telegram channel, the ransomware group has made victims' stolen information available on Mega, a cloud storage service provider that is being abused. Figure 7: Telegram channel containing links to the stolen information on Mega FORTINET PROTECTIONS The Underground ransomware described in this report is detected and blocked by FortiGuard Antivirus as: * W64/IndustrySpy.C!tr.ransom * W64/Filecoder_IndustrialSpy.C!tr.ransom * Adware/Filecoder_IndustrialSpy * Riskware/Ransom FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected. Please read the outbreak alert for protection against the potential infection vector (CVE-2023-36884) abused by the Underground ransomware: * Outbreak Alert: Microsoft Office and Windows HTML RCE Vulnerability IOCS Underground Ransomware File IOCs SHA2 Note 9543f71d7c4e394223c9d41ccef71541e1f1eb0cc76e8fa0f632b8365069af64 Underground ransomware 9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f eb8ed3b94fa978b27a02754d4f41ffc95ed95b9e62afb492015d0eb25f89956f 9d41b2f7c07110fb855c62b5e7e330a597860916599e73dd3505694fd1bbe163 cc80c74a3592374341324d607d877dcf564d326a1354f3f2a4af58030e716813 d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666 FORTIGUARD LABS GUIDANCE Due to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date. Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats: The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks. Our FREE Fortinet Certified Fundamentals (FCF) in Cybersecurity training. The training is designed to help end users learn about today's threat landscape and will introduce basic cybersecurity concepts and technology. Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack. As part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts. FortiRecon is a SaaS based Digital Risk Prevention Service backed by cybersecurity experts to provide unrivaled threat intelligence on the latest threat actor activity across the dark web, providing a rich understanding of threat actors’ motivations and TTPs. The service can detect evidence of attacks in progress allowing customers to rapidly respond to and shut down active threats. BEST PRACTICES INCLUDE NOT PAYING A RANSOM Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a US Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3). HOW FORTINET CAN HELP FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. Our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises). Additionally, FortiRecon Digital Risk Protection (DRP) is a SaaS-based service that provides a view of what adversaries are seeing, doing, and planning to help you counter attacks at the reconnaissance phase and significantly reduce the risk, time, and cost of later-stage threat mitigation. Tags: Ransomware Roundup RELATED POSTS FortiGuard Labs Threat Research RANSOMWARE ROUNDUP – RA WORLD FortiGuard Labs Threat Research RANSOMWARE ROUNDUP - KAGENOHITOBITO AND DONEX FortiGuard Labs Threat Research RANSOMWARE ROUNDUP: LOCKBIT, BLUESKY, AND MORE * * * * * * NEWS & ARTICLES * News Releases * News Articles SECURITY RESEARCH * Threat Research * FortiGuard Labs * Threat Map * Ransomware Prevention CONNECT WITH US * Fortinet Community * Partner Portal * Investor Relations * Product Certifications COMPANY * About Us * Exec Mgmt * Careers * Training * Events * Industry Awards * Social Responsibility * CyberGlossary * Sitemap * Blog Sitemap CONTACT US * (866) 868-3678 Copyright © 2024 Fortinet, Inc. All Rights Reserved Terms of Services Privacy Policy | Cookie Settings PRIVACY PREFERENCE CENTER * YOUR PRIVACY * STRICTLY NECESSARY COOKIES * PERFORMANCE COOKIES * FUNCTIONAL COOKIES * ADVERTISING COOKIES YOUR PRIVACY A website may store or retrieve certain information about your browser by using cookies. Cookies store information about how a visitor interacts with a website. The information may be about you, your preferences, your browser, or may be used just to make the website function. We allow certain advertising and analytics partners to collect information from our site through cookies and similar technologies to deliver ads which are more relevant to you, and assist us with advertising-related analytics (e.g., measuring ad performance, optimizing our ad campaigns). This may be considered "selling" or "sharing” / disclosure for targeted online advertising under certain laws. To opt out of these activities, move the toggles for "Performance" and "Advertising" to the left and press "Confirm My Choices." You can also click on the different category headings if you would like to read more about the cookies that we use, and adjust your preferences. Please note that your choice will apply only to your current browser/device. You can choose not to allow some types of cookies; however, please note that blocking some categories of cookies may impact your experience of the site. You can visit our Privacy Policy for more information. privacy policy STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the basic functionality of the website. The website would not work without these cookies, so they cannot be switched off in our systems. You can set your browser to block or alert you about these cookies, but some parts of the site will not work. PERFORMANCE COOKIES Performance Cookies These cookies help us collect certain data, such as count visits and traffic sources, so that we can measure the performance of our site, improve the content, and build better features that enhance your experience. They help us to know which pages are the most and least popular and see how visitors move around the site. They also allow us to measure the effectiveness of our ads on other sites. FUNCTIONAL COOKIES Functional Cookies These cookies allow our website to remember your preferences and choices made on the website, such as region and language, which help us provide enhanced functionality and personalization. These cookies may be set by us or by third party providers whose services we have added to our pages. If you disable these cookies, then some or all of these features may not function properly. ADVERTISING COOKIES Advertising Cookies These cookies may be set through our website by our advertising partners, and use information uniquely identifying your browser and internet device to build a profile of your interests and show you relevant ads on other websites. If you disable these cookies, you will experience less targeted advertising. BACK BUTTON BACK Vendor Search Filter Button Consent Leg.Interest checkbox label label checkbox label label checkbox label label Clear checkbox label label Apply Cancel Confirm My Choices Allow All By clicking “Accept All”, you agree to use of cookies on your device to enhance site functionality, analyze site usage, and assist in our marketing efforts, including advertising on other websites. The Cookie Settings link has cookie-specific detail and preference options.privacy policy Cookie Settings Accept All word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1