Welcome to our

Cyber Security News Aggregator

Cyber Tzar

provide a

cyber security risk management

platform; including automated penetration tests and risk assesments culminating in a "cyber risk score" out of 1,000, just like a credit score.

First slide label

Some representative placeholder content for the first slide.

Second slide label

Some representative placeholder content for the second slide.

Third slide label

Some representative placeholder content for the third slide.

2024-08-29 UNDERGROUND Ransomware Samples

published on 2024-09-02 17:05:00 UTC by Mila
Content:

2024-08-29 Fortinet Ransomware Roundup - Underground

The Underground ransomware is likely spread by the RomCom group (also known as Storm-0978). The group exploits the Microsoft Office and Windows HTML RCE vulnerability (CVE-2023-36884). Other methods, such as phishing emails and access via Initial Access Brokers (IABs), may also be used.

- Shadow Copies Deletion: It removes all shadow copies to prevent file recovery:
- bash
- Copy code
- vssadmin.exe delete shadows /all /quiet
- RDP Session Limits: Sets a 14-day limit on Remote Desktop sessions to maintain persistence:
- bash
- Copy code
- reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / f
- SQL Server Service Stop: Halts the MS SQL Server service to disrupt operations:
- bash
- Copy code
- net.exe stop MSSQLSERVER /f /m
- Ransom Note Deployment: Drops a ransom note named “!!readme!!!.txt” in directories containing encrypted files.
File Encryption: The ransomware encrypts files without altering their extensions, making it harder to visually identify encrypted files. It avoids encrypting critical system files (e.g., .sys, .exe, .dll) to maintain system functionality.
Log and File Deletion: It creates and runs a script (temp.cmd) to delete the original ransomware file and clear Windows Event logs, complicating forensic analysis.
Data Leak Site: The ransomware group maintains a site where they post stolen data from their victims, spanning industries such as construction, pharmaceuticals, and manufacturing. As of July 2024, they have listed 16 victims.
Telegram Channel: The group also uses a Telegram channel to distribute stolen data, with links to files hosted on Mega, a cloud storage service.

Download

Download. Email me if you need the password scheme.

File Information

├── 9d41b2f7c07110fb855c62b5e7e330a597860916599e73dd3505694fd1bbe163 enc getswin x64 exe

├── 9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f exe

├── cc80c74a3592374341324d607d877dcf564d326a1354f3f2a4af58030e716813 exe

├── d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666 exe

└── eb8ed3b94fa978b27a02754d4f41ffc95ed95b9e62afb492015d0eb25f89956f exe

Article: 2024-08-29 UNDERGROUND Ransomware Samples - published 2 months ago.

https://contagiodump.blogspot.com/2024/09/2024-08-29-underground-ransomware.html
Published: 2024 09 02 17:05:00
Received: 2024 09 03 17:49:40
Feed: contagio
Source: contagio
Category: Cyber Security
Topic: Cyber Security
Views: 1