CRIL (Cyble Research and Intelligence Labs) reports the emergence of Underground Team Ransomware, a new strain that tailors ransom notes to victims and offers additional services such as vulnerability insights and data recovery guidance. The article details its technical behavior, encryption process, and a chat-based Onion URL workflow for negotiating with threat actors. Hashtags: #UndergroundTeamRansomware #CRIL
Keypoints
- CRIL identifies a new ransomware strain named Underground Team Ransomware.
- The ransom note is tailored to victims, with victim-specific hostnames suggesting targeted attacks.
- attackers promise network vulnerability insights and qualified data recovery assistance alongside a decryptor.
- The malware uses ShellExecuteW() to run commands that delete shadow copies, modify registry, and stop a database service.
- It identifies system volumes, enumerates drives, and encrypts files while excluding certain folders/files.
- A ransom note file is dropped and a separate CMD script is used to erase traces after encryption.
- Victims access an Onion-based chat platform for negotiations with threat actors; data-leak claims are not yet confirmed.
MITRE Techniques
- [T1059] Windows Command Shell – The ransomware “uses the ShellExecuteW() API function to execute the following commands and perform actions such as deleting Volume Shadow Copies, modifying registry settings, and stopping the MSSQLSERVER service.”
- [T1082] System Information Discovery – The ransomware identifies system volumes using “FindFirstVolumeW(), GetVolumePathNamesForVolumeNameW(), GetVolumeInformationW(), and FindNextVolumeW().”
- [T1083] File and Directory Discovery – It “drops a ransom note” and later “searches for files and directories to encrypt” using “FindFirstFileW() and FindNextFileW()”.
- [T1112] Modify Registry – The malware runs “reg.exe add HKLM… / v MaxDisconnectionTime” to modify registry settings for remote sessions.
- [T1569.002] Service Stop – The malware stops “MSSQLSERVER” using “net.exe stop MSSQLSERVER /f /m”.
- [T1070] Delete Shadow Drive Data – The command “vssadmin.exe delete shadows /all /quiet” is used to remove shadow copies.
- [T1486] Data Encrypted for Impact – The ransomware proceeds to encrypt files, impacting availability/ownership of data.
- [T1490] Inhibit System Recovery – Deleting shadow copies and related steps hinder recovery/restoration efforts.
Indicators of Compromise
- [File Name] context – !!readme!!!.txt, temp.cmd, and other dropped artifacts (Ransom note file and trace-cleaning script)
- [SHA256] Underground Team Ransomware – d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666, fb4ad5d21f0d8c6755eb4addba0ac288bd2574b6, and 1 more hash
- [Folder Name] context – googlechrome, mozillafirefox (excluded from encryption)
Read more: https://blog.cyble.com/2023/07/05/underground-team-ransomware-demands-nearly-3-million/