Home Microsoft RomCom Hackers Exploit Microsoft Office Zero-Day to Spread Ransomware

RomCom Hackers Exploit Microsoft Office Zero-Day to Spread Ransomware

0
RomCom Hackers Exploit Microsoft Office Zero-Day to Spread Ransomware

Underground ransomware, a threat primarily targeting Microsoft Windows systems, has been gaining momentum, which encrypts victims’ files, rendering them inaccessible, and demands a ransom payment for decryption. 

An impact of this attack is severe, as it can disrupt operations and lead to significant data loss. Organizations using Microsoft Windows should be vigilant and implement robust security measures to mitigate the risks associated with underground ransomware.

The first instance of ransomware, which targets Windows systems and encrypts files and leaves ransom notes demanding payment for decryption, was discovered in the early part of July 2023. 

One of the victims on the data leak site

The ransomware’s initial detection coincided with the posting of its first victim on its data leak site, which aligns with the typical behavior of ransomware, which often involves file encryption and ransom demands.

The Russia-based RomCom group, also known as Storm-0978, is deploying the Underground ransomware, likely exploiting the CVE-2023-36884 vulnerability in Microsoft Office and Windows HTML RCE, which could be the primary infection vector for the ransomware. 

However, the group may also utilize other common tactics, such as phishing emails or purchasing access from an Initial Access Broker, to gain entry into target systems.

The Underground ransomware ransom note

The Underground ransomware first deletes shadow copies to prevent data recovery. Then, it limits the maximum duration of Remote Desktop sessions to 14 days after user disconnection, potentially hindering data recovery efforts. 

Next, it stops the MS SQL Server service, likely to disrupt database operations and data access. Finally, it creates a ransom note, informing victims of the attack and demanding a ransom payment.

A text file before file encryption

Upon execution, it refrains from modifying file extensions but proceeds to encrypt files by strategically avoiding encrypting essential system files with specific extensions to maintain system functionality. 

After encrypting files, the ransomware generates and executes a temporary command script, temp.cmd, which performs crucial tasks, including the removal of the original ransomware file to prevent its detection and eradication. 

According to Fortinet, the script also targets Windows Event logs, systematically deleting them to hinder any forensic investigation into the ransomware attack.

A text file after file encryption

The Underground ransomware group, active since at least March 2024, has a data leak site where they publish stolen information from their victims, spanning across various industries including construction, pharmaceuticals, banking, and manufacturing, and are primarily located in the United States and Europe. 

The group targets specific industries, as indicated by a dropdown list on their data leak site, and they also utilize Telegram and Mega to distribute stolen data, showcasing their digital footprint and tactics for disseminating compromised information.

Also Read:

NO COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here