The Underground ransomware group conducts targeted, customized encryption and data theft operations against organizations worldwide, using a combination of AES and RSA encryption with per-file keys and stripe-based encryption for large files. Their operations include system reconnaissance, deletion of shadow copies and logs, and publication of stolen data via a Tor-based leak site; detection examples include MD5 hashes 76a3ee4f0447ad47767d2b6f808b7fc6 and bbbf99de707dd28c938668d34c2e1b26. #Underground #_eraser.bat
Keypoints
- Underground was first identified July 2023 and resumed visible activity with a Dedicated Leak Site in May 2024, targeting companies across many countries and industries.
- The ransomware uses per-file AES keys (derived from RNG) and encrypts those keys with a hardcoded RSA public key; RSA-encrypted key material is appended to each encrypted file.
- Files are classified as small, regular, or large; small files are fully encrypted while larger files are encrypted using a stripe (head/tail/gap) method to reduce load.
- Before encryption the malware removes Volume Shadow Copies, restricts Remote Desktop settings, and stops database services to prevent interference and recovery.
- Ransom notes advertise additional services (vulnerability diagnosis, security advice, data recovery) and contain Tor site credentials for negotiation, indicating tailored attacks after prior intrusion and reconnaissance.
- The malware creates and executes _eraser.bat to delete event logs via wevtutil.exe, removing execution traces after completion.
- Affected organizations span multiple countries (including South Korea, UAE, US, France, etc.) and industries with revenues from ~$20M to $650M, showing no clear targeting restriction by size or sector.
MITRE Techniques
- [T1490 ] Inhibit System Recovery – Deletes volume shadow copies using “vssadmin delete shadows /all /quiet” to prevent recovery of encrypted files; quoted: ‘vssadmin delete shadows /all /quiet’.
- [T1489 ] Impact: Service Stop – Stops database services to remove interference with encryption using commands like ‘net stop MSSQLSERVER /f /m’; quoted: ‘net stop MSSQLSERVER /f /m’.
- [T1112 ] Modify Registry – Adds registry values to restrict Remote Desktop connections via ‘reg add HKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal Services /v MaxDisconnectionTime /t REG_DWORD /d 1209600000 /f’; quoted: ‘reg add HKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal Services /v MaxDisconnectionTime /t REG_DWORD /d 1209600000 /f’.
- [T1486 ] Data Encrypted for Impact – Encrypts files with AES and appends RSA-encrypted AES keys and metadata to each file; quoted: ‘The AES symmetric key is encrypted with the RSA public key and inserted into the encrypted file.’
- [T1078 ] Valid Accounts (post-compromise use) – Ransom note includes Tor site URL and login credentials for negotiation, indicating use of valid credentials for leak-site access; quoted: ‘The note provided the Tor site URL and login credentials, allowing for negotiation on the site.’
- [T1078.002 ] Multi-factor/Platform Accounts (customized distribution) – Threat actor performs reconnaissance and distributes customized ransomware tailored to selected PCs after breaching the system; quoted: ‘Threat actors conduct thorough reconnaissance to select a specific PC as the attack target and distribute modified ransomware tailored to the target.’
- [T1070.001 ] Clear Windows Event Logs – Creates and runs _eraser.bat which deletes event logs using wevtutil.exe to remove traces; quoted: ‘creating eraser.bat’ and ‘deleting all event logs by utilizing wevtutil.exe’.
Indicators of Compromise
- [File Hash ] Ransomware samples – 76a3ee4f0447ad47767d2b6f808b7fc6, bbbf99de707dd28c938668d34c2e1b26
- [File Name ] Cleanup artifact – _eraser.bat used to delete event logs via wevtutil.exe
- [Command/Tool ] System manipulation commands observed – ‘vssadmin delete shadows /all /quiet’, ‘reg add HKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal Services /v MaxDisconnectionTime …’, and ‘net stop MSSQLSERVER /f /m’ (used to delete shadow copies, restrict RDP, and stop DB services)
- [Metadata/Encryption Artifact ] Per-file appended RSA-encrypted AES key and 0x18-byte metadata block containing original file size and flag set (Stripe/Head/Tail/Gap)
Read more: https://asec.ahnlab.com/en/89835/