Over the past year, a new ransomware group known as ‘Underground’ has surfaced as a significant threat to organizations across various industries and regions. Initially identified in July 2023, the group re-emerged in May 2024 with a Dedicated Leak Site (DLS), indicating a more sophisticated operational phase. Their attacks have spanned countries from the United Arab Emirates to South Korea, targeting sectors such as construction, manufacturing, and information technology.
Victims have reported that critical assets were encrypted, and they faced threats of data leaks, with ransom demands that applied both technical and psychological pressure.
Sophisticated Attack Methods
The ‘Underground’ operators meticulously tailor each attack to the victim’s specific environment. Initial access is often gained through stolen credentials or by exploiting unpatched vulnerabilities in remote desktop services. Once inside the network, they disable shadow copies using the command `vssadmin delete shadows /all /quiet`, effectively removing the victim’s ability to quickly restore data.
Analysts from ASEC have observed that this hands-on approach transforms standard environments into fully compromised systems, leaving forensic traces that complicate incident response efforts.
Encryption Techniques
After conducting reconnaissance, the ransomware employs encryption routines that combine AES symmetric encryption with RSA asymmetric wrapping. Each file is encrypted with a unique AES key, while the key material and initialization vector (IV) are sealed with a hardcoded RSA public key before being appended to the file. Notably, no external command-and-control communication occurs during the encryption process, ensuring that local evidence alone cannot facilitate decryption.
The encryption metadata, which includes the file’s original size, flag sets, version, and magic values, is structured in an 0x18-byte block affixed at the end of each file.
Infection Mechanism Details
The core of ‘Underground’s’ infection mechanism lies in its multi-stage payload execution. Upon launch, the binary checks its command-line parameters and exits immediately if more than two arguments are detected, serving as a basic anti-analysis safeguard. The malware then declares a mutex string, 8DC1F7B9D2F4EA58, to prevent multiple instances from running simultaneously.
Without employing advanced sandbox evasion techniques, it swiftly executes pre-encryption routines, including:
– Deleting shadow copies
– Modifying registry keys to restrict remote desktop disconnections
– Halting SQL services with commands such as:
“`
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ /v MaxDisconnectionTime /t REG_DWORD /d 1209600000 /f
net stop MSSQLSERVER /f /m
net stop SQLSERVERAGENT /f /m
net stop MSSQLFDLauncher /f /m
“`
By excluding system directories and executable extensions—such as `.exe`, `.dll`, and `.sys`—the malware avoids crippling the operating system, focusing its destructive power on user-generated content.
Once the environment is primed, a 0x30-byte random number is generated via the BCrypt API, partitioned into a 0x20-byte AES key and a 0x10-byte IV. Files are read into memory, encrypted in place, and then appended with the RSA-encrypted key material (0x200 bytes).
For large files, a striping method encrypts the head, tail, and periodic segments using flag values that dictate encryption unit size and gap intervals, balancing performance and file impact.
Finally, the ransomware deploys an `_eraser.bat` script to purge Windows event logs via `wevtutil.exe`, erasing traces of its activity and hindering root cause analysis.
Implications and Recommendations
Through these refined tactics, ‘Underground’ leverages a blend of classic and advanced methods, underscoring the importance of proactive patching, segmented backups, and robust endpoint monitoring to defend against its evolving threat.
