Underground Team is a new ransomware variant that encrypts files on compromised machines and claims to have stolen sensitive data from victims. Although the ransomware encrypts files, file extensions of the affected files stay unchanged. It also deletes Volume Shadow Copies to prevent victims from being able to recover any files that had been encrypted.
Underground Team ransomware attacker has its TOR negotiation site, where victims can have discussions with the attacker about ransom details. The URL of the TOR site is included in the ransom note “!!readme!!!.txt” along with additional information about where the attacker claims to have exfiltrated the information and the type of information. The ransom note also states that the attacker will release the stolen data unless the ransom is paid within three days. The attacker also claims to be willing to help victims improve their network security.
Why is this Significant?
This is significant because Underground Team is a new ransomware strain that can have a significant impact on businesses by encrypting files on compromised machines and potentially stealing confidential data.
What FortiGuard Coverage is Available?
FortiGuard Labs has the following AV signature in place for the known Underground Team ransomware:
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Multiple vulnerabilities have been discovered in Adobe Products, the most severe of which could allow for arbitrary code execution.
Adobe InDesign is a desktop publishing and page layout designing software.
Adobe ColdFusion is a commercial rapid web-application development computing platform.
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
McKee-Harris, Matt Cotterell, and Jack Moran discovered that .NET did
not properly update account lockout maximum failed attempts. An
attacker could possibly use this issue to bypass the security feature
and attempt to guess more passwords for an account.
It was discovered that lib3mf did not properly manage memory under
certain circumstances. If a user were tricked into opening a specially
crafted 3MF file, a local attacker could possibly use this issue to
cause applications using lib3mf to crash, resulting in a denial of
service, or possibly execute arbitrary code.
