The Underground ransomware is likely spread by the RomCom group (also known as Storm-0978). The group exploits the Microsoft Office and Windows HTML RCE vulnerability (CVE-2023-36884). Other methods, such as phishing emails and access via Initial Access Brokers (IABs), may also be used.
Shadow Copies Deletion: It removes all shadow copies to prevent file recovery:
bash
Copy code
vssadmin.exe delete shadows /all /quiet
RDP Session Limits: Sets a 14-day limit on Remote Desktop sessions to maintain persistence:
bash
Copy code
reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / f
SQL Server Service Stop: Halts the MS SQL Server service to disrupt operations:
bash
Copy code
net.exe stop MSSQLSERVER /f /m
Ransom Note Deployment: Drops a ransom note named “!!readme!!!.txt” in directories containing encrypted files.
File Encryption: The ransomware encrypts files without altering their extensions, making it harder to visually identify encrypted files. It avoids encrypting critical system files (e.g., .sys, .exe, .dll) to maintain system functionality.
Log and File Deletion: It creates and runs a script (temp.cmd) to delete the original ransomware file and clear Windows Event logs, complicating forensic analysis.
Data Leak Site: The ransomware group maintains a site where they post stolen data from their victims, spanning industries such as construction, pharmaceuticals, and manufacturing. As of July 2024, they have listed 16 victims.
Telegram Channel: The group also uses a Telegram channel to distribute stolen data, with links to files hosted on Mega, a cloud storage service.