FortiGuard labs warns of Russia-based RomCom group’s global attack using underground Ransomware, exploiting CVE-2023-36884
FortiGuard Labs has uncovered a new ransomware variant, named Underground, linked to the Russia-based RomCom group, also known as Storm-0978. Active since July 2023, this dangerous malware has been targeting various sectors, including construction, pharmaceuticals, banking, and manufacturing. Underground encrypts files on Windows machines, demanding a ransom for decryption.
RomCom is notorious for exploiting vulnerabilities like the Microsoft Office and Windows HTML flaw, tracked as CVE-2023-36884. In addition, the group likely uses phishing emails and purchases system access from Initial Access Brokers (IABs).
Once Underground infiltrates a system, it disables security protocols, deletes shadow copies and event logs, and encrypts files. Victims are left with a ransom note titled “!!readme!!!.txt,” demanding payment. RomCom also operates a data leak site where they publish stolen information from those who refuse to comply.
What makes Underground particularly insidious is its ability to encrypt files without changing file extensions, making it harder for victims to determine which files have been affected.
Underground’s impact is global, with 16 victims listed across countries such as the USA, France, Germany, Spain, Korea, Taiwan, Singapore, and Canada. The group uses a Telegram channel and the cloud storage service Mega to distribute stolen data.
FortiGuard Labs urges organisations to update their systems with patches for known vulnerabilities like CVE-2023-36884 and to train employees to recognise phishing and other attack methods.