Underground Ransomware Gang With New Tactics Against Organizations Worldwide

Over the past year, the Underground ransomware gang has emerged as a formidable threat to organizations across diverse industries and geographies.

First identified in July 2023, the group resurfaced in May 2024 with a Dedicated Leak Site (DLS), signaling a renewed and more sophisticated operational phase.

Their campaigns now span from the United Arab Emirates to South Korea, targeting companies in construction, manufacturing, IT, and beyond.

Victims report encrypted critical assets and threatened data leaks, with ransom demands that exploit both technical and psychological pressure.

In their latest modus operandi, Underground operators meticulously tailor each attack to the victim’s environment.

Initial infiltration often leverages stolen credentials or unpatched vulnerabilities in remote desktop services.

Once inside, they disable shadow copies using the vssadmin delete shadows /all /quiet command, stripping victims of quick rollback options.

ASEC analysts noted that this hands-on approach transforms routine environments into fully compromised landscapes, leaving forensic traces that complicate incident response.

Following reconnaissance, the ransomware proceeds with encryption routines that combine AES symmetric encryption and RSA asymmetric wrapping.

Each file is encrypted with a unique AES key, while the key material and initialization vector (IV) are sealed with a hardcoded RSA public key before being appended to the file.

No external C2 communication occurs during encryption, ensuring that local evidence alone cannot facilitate decryption.

The encryption metadata—spanning the file’s original size, flag sets, version, and magic values—is structured in an 0x18-byte block affixed at the end of each file.

Infection Mechanism Deep Dive

The core of Underground’s infection mechanism lies in its multi-stage payload execution. Upon launch, the binary checks its command-line parameters and exits immediately if more than two arguments are detected, a rudimentary anti-analysis safeguard.

The malware then declares a mutex string, “8DC1F7B9D2F4EA58,” to prevent multiple instances.

Without employing advanced sandbox evasion techniques, it swiftly executes pre-encryption routines: deleting shadow copies, modifying registry keys to restrict remote desktop disconnections, and halting SQL services with commands such as:-

reg add HKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal Services /v MaxDisconnectionTime /t REG_DWORD /d 1209600000 /f
net stop MSSQLSERVER /f /m
net stop SQLSERVERAGENT /f /m
net stop MSSQLFDLauncher /f /m

By excluding system directories and executable extensions—such as .exe, .dll, and .sys—the malware avoids crippling the operating system, focusing its destructive power on user-generated content.

Once the environment is primed, a 0x30-byte random number is generated via the BCrypt API, partitioned into a 0x20-byte AES key and a 0x10-byte IV.

Files are read into memory, encrypted in place, and then appended with the RSA-encrypted key material (0x200 bytes).

For large files, a striping method encrypts head, tail, and periodic segments using flag values that dictate encryption unit size and gap intervals, balancing performance and file impact.

Finally, the ransomware deploys an _eraser.bat script to purge Windows event logs via wevtutil.exe, erasing traces of its activity and hindering root cause analysis.

Through these refined tactics, Underground leverages a blend of classic and advanced methods, underscoring the importance of proactive patching, segmented backups, and robust endpoint monitoring to defend against its evolving threat.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.