New Ransomware Strain Lists Victims’ Host Information in a Ransom Note
The rapid proliferation of new ransomware strains and the establishment of fresh ransomware groups underscore the ease with which cybercriminals can extort money from their victims. While new ransomware variants continue to emerge, the alarming trend of encrypting files and leaking data remains a persistent practice among these cybercriminals. This combination of evolving threats and the consistent exploitation of victims’ data highlights the ongoing challenges and risks organizations face in safeguarding their cybersecurity.
Cyble Research and Intelligence Labs (CRIL) came across a new ransomware strain named “Underground team ransomware,” The name of this malware is derived from its distinctive ransom note.
The ransom note of the Underground Team ransomware introduces novel elements that distinguish it from typical ransom notes. In addition to guaranteeing a fair and confidential deal within a short timeframe, the group offers more than just a decryptor.
It promises to provide insights into network vulnerabilities and recommendations for information security. Furthermore, qualified data recovery assistance will be extended to the victims if required. While these novel additions showcase a broader approach by the ransomware group, it is imperative to continue exercising caution and skepticism when evaluating such claims.
The presence of victim-specific hostnames in the ransom note indicates that the attack was tailored and aimed at specific targets, implying a targeted attack. The depicted figure illustrates the login panel of the Underground Team ransomware, which appears upon accessing the Onion URL mentioned in the ransom note.
The Underground Team ransomware executable is a 64-bit GUI-based Microsoft Visual C/C++ application identified by its SHA256 hash value, d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666 as shown below.
When the ransomware is executed, it utilizes the ShellExecuteW() API function to execute the following commands and perform actions such as deleting Volume Shadow Copies, modifying registry settings, and stopping the MSSQLSERVER service.
|vssadmin.exe delete shadows /all /quiet||This command is used to delete Volume Shadow Copies on the system. By deleting the shadow copies, the ransomware can hinder recovery and restoration processes that rely on these copies.|
|reg.exe add HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / f||This command is used to adjust the maximum duration permitted for a disconnected remote session to remain active. Consequently, this manipulation can be employed to manipulate remote desktop settings.|
|net.exe stop MSSQLSERVER /f /m||This command stops the MSSQLSERVER service forcefully using the net.exe utility. By stopping this service, the ransomware may disrupt database operations to encrypt the files related to MSSQL Server.|
After that, the ransomware initiates a new thread to carry out the identification of system volumes using API functions such as FindFirstVolumeW(), GetVolumePathNamesForVolumeNameW(), GetVolumeInformationW(), and FindNextVolumeW(). By utilizing these functions, the ransomware gains essential abilities that help it to identify and locate system drives and file systems on the specific targeted system. This enables the ransomware to encrypt files, effectively achieving its intended impact.
The figure below displays the code utilized for identifying the system volumes of the victim’s machine.
Once the system drives have been identified, the ransomware drops a ransom note named “!!readme!!!.txt” in multiple folders in the system.
The below figure shows the hardcoded contents of the ransom note.
After dropping the ransom note, the malware creates an additional thread dedicated to searching for files and directories to encrypt. It accomplishes this by iteratively scanning through them using the API functions FindFirstFileW() and FindNextFileW(), as shown below.
The ransomware selectively excluded specific filenames and file extensions from being encrypted during its encryption process, as shown in Figure 6. Additionally, the malware excludes folder names, such as \google\chrome and \mozilla\firefox, from the encryption process, effectively bypassing them.
Once the files are identified, the ransomware proceeds to encrypt them. However, it does not alter the encrypted file names or append any extensions after the encryption process is complete.
The figure below demonstrates the ransom note file that has been dropped and the display of an encrypted file by the Underground Team ransomware.
After completing the encryption process, the ransomware creates a CMD file named “temp.cmd” and executes it. This CMD file is designed to repeatedly delete a specified file, clear event logs, and ultimately remove itself.
The purpose of this script is to destroy any evidence of the ransomware’s activities and obscure the execution of malicious actions on the targeted system.
The below image showcases the ransom note employed by the Underground Team Ransomware. The ransom note includes instructions for victims to contact the TAs for assistance in recovering their encrypted files or to make the ransom payment.
Within the ransom note is an Onion URL provided as a means of communication for victims to engage in chat-based contact. The login credentials are also included for victims to access the chat platform.
Once logged into the provided Onion URL, the victims are directed to a platform resembling a ticketing system, facilitating the negotiation process with the TA regarding the ransomware incident, as shown below.
Although the Underground Team Ransomware has been identified as a new threat, the specific victims targeted by this ransomware are currently unknown. Additionally, there have been no instances of data leaks associated with this ransomware at the time of writing. When encountering ransomware groups making claims of providing assistance, it is crucial to approach their statements with skepticism. TAs are primarily motivated by financial gain, and their true intentions may not align with the interests of the victims.
CRIL maintains vigilant monitoring of emerging ransomware campaigns to ensure our readers are well-informed, providing regular updates on our latest discoveries.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile
- Refrain from opening untrusted links and email attachments without verifying their authenticity
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network
- Disconnect external storage devices if connected
- Inspect system logs for suspicious events
Impact of Ransomware
- Loss of Valuable data
- Loss of the organization’s reputation and integrity
- Loss of the organization’s sensitive business information
- Disruption in organization operation
- Financial loss
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|System Information Discovery |
Browser Information Discovery
File and Directory Discovery
|Defense Evasion||T1070||Delete shadow drive data|
|Data encrypted for impact |
Inhibit System Recovery
Indicators of Compromise (IOCs)
|Underground Team Ransomware|