The Underground ransomware gang has been coordinating recurring attacks on enterprises throughout the globe in a worrying increase in cyber risks.
They have demonstrated sophisticated malware engineering that blends cutting-edge encryption techniques with focused penetration measures.
First detected in July 2023, the group resurfaced in May 2024 with a revamped Dedicated Leak Site (DLS), where they expose exfiltrated data from victims refusing to pay ransoms.
Their operations span diverse sectors, including construction, manufacturing, IT, and interior design, affecting companies in countries such as the United States, United Arab Emirates, France, Spain, Australia, Germany, Slovakia, Taiwan, Singapore, Canada, and South Korea.
Victim organizations vary in scale, with annual revenues ranging from $20 million to $650 million, underscoring the gang’s indiscriminate approach to targeting without regard for geography, industry, or enterprise size.
This broad attack surface highlights a rising global trend in ransomware proliferation, where threat actors leverage customized payloads to maximize impact and evasion.
Malware Sophistication
The Underground ransomware employs a hybrid cryptographic scheme integrating random number generation (RNG), AES symmetric encryption, and RSA asymmetric encryption to render files inaccessible without the attackers’ intervention.
Each file is encrypted using a unique AES key, with key-related metadata appended to the file’s end, eliminating the need for post-encryption command-and-control (C2) communications.
This design ensures that local forensic artifacts alone cannot facilitate decryption, as the RSA public key is hardcoded into the malware, while the corresponding private key remains under the attackers’ control.
Files are categorized by size small files undergo full encryption, whereas regular and large files utilize a striping method, encrypting selective portions at the head, tail, and intermittent gaps to optimize performance and minimize system disruption.
According to ASEC report, this selective encryption targets high-value data segments, reducing computational overhead while inflicting maximum operational damage.
Prior to encryption, the malware executes preparatory routines, including a parameter check that halts execution if more than two arguments are provided, followed by the creation of a mutex (“8DC1F7B9D2F4EA58”) to prevent concurrent instances.
It then eradicates recovery options by deleting Volume Shadow Copies via the vssadmin command and restricts remote desktop connections through registry modifications.
Services potentially interfering with encryption, such as MSSQLSERVER, SQLSERVERAGENT, and MSSQLFDLauncher, are forcibly stopped.
To avoid system instability, encryption excludes critical paths resolved from environment variables like %SystemRoot% (C:Windows), %ProgramFiles% (C:Program Files), and %ProgramFiles(x86)% (C:Program Files (x86)), as well as extensions including sys, exe, dll, bat, and others essential for OS functionality.
File selection prioritizes those accessed, modified, or created within the past six months, calculated via GetSystemTime() minus a half-year offset, focusing encryption on active user data to heighten efficiency.
The encryption process begins with generating a 0x30-byte random value using BCrypt APIs from bcrypt.dll, where the initial 0x20 bytes form the AES key and the remaining 0x10 bytes serve as the initialization vector (IV) in CBC mode.
Files are loaded into memory via ReadFile(), encrypted with BCryptEncrypt(), and the AES key plus IV are then RSA-encrypted and appended.
Metadata, totaling 0x18 bytes, includes the original file size, a flag set dictating stripe, head, tail, and gap parameters, a size-based branching trigger, version indicator, and magic value.
These flags, subjected to bitwise shifts and power-of-2 calculations, define encryption units and intervals, adapting dynamically to file categories for optimized ransomware performance.
Post-Encryption Evasion
Upon completion, the malware erases traces by generating and running an _eraser.bat script, which leverages wevtutil.exe to clear all event logs, complicating incident response.
The ransom note, embedded with victim-specific details like IP addresses and stolen data references, offers not only decryption but also ancillary services such as vulnerability assessments and security consultations, accessible via a Tor-based negotiation portal.
This indicates pre-execution reconnaissance, where attackers infiltrate systems, gather intelligence, select targets, and deploy tailored ransomware, eschewing mass distribution for precision strikes.
To counter such threats, organizations must implement robust defenses, including offsite backups isolated from production networks, stringent access controls to repositories, and routine recovery drills.
Beyond basic data protection, integrating endpoint detection and response (EDR) tools and monitoring for indicators like unusual registry changes or service stoppages can preempt escalation.
As Underground’s tactics evolve, proactive threat intelligence and adherence to frameworks like CVSS for vulnerability scoring remain critical in mitigating these innovative ransomware campaigns.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
