The Underground Ransomware Gang Is Back with a Vicious New Global Campaign

The Underground ransomware gang is intensifying its operations, launching continuous ransomware attacks against companies worldwide, including high-profile victims in South Korea. A new analysis by AhnLab sheds light on the group’s tactics, malware design, and global impact, revealing that this is far from a spray-and-pray campaign—it is a customized and targeted operation.

AhnLab’s research highlights the gang’s diverse victim pool. “The list of companies affected by the Underground ransomware gang includes multinational corporations in the United Arab Emirates, the United States, France, Spain, Australia, Germany, Slovakia, Taiwan, Singapore, Canada, and Korea.” The industries affected range from construction and manufacturing to IT and interior design, with company revenues spanning $20 million to $650 million.

This demonstrates that the gang does not discriminate by sector or geography, instead targeting a wide range of organizations globally.

The Underground ransomware uses a sophisticated multi-layered encryption process that combines RNG algorithms, AES symmetric encryption, and RSA asymmetric encryption. Notably, “no network communication occurs after the file encryption process,” meaning that local traces alone are insufficient for decryption. Each encrypted file receives a unique AES key, and the corresponding RSA-encrypted information is appended to the file.

Files are classified by size—small, regular, or large—with small files fully encrypted and larger files encrypted using a striping method, leaving gaps to maximize efficiency while crippling usability.

Unlike mass-distributed ransomware strains, Underground’s operators conduct deep reconnaissance before striking. AhnLab observed that “threat actors conduct thorough reconnaissance to select a specific PC as the attack target and distribute modified ransomware tailored to the target.” This proves that the malware is deployed in surgical, customized attacks, rather than via large-scale spam or exploit kits.

The ransom note further confirms pre-breach activity: “The ransom note contained a message about the attack target’s IP and the stolen information, suggesting that the threat actor had inserted this message into the malware before encrypting the data.”

To maximize damage, the ransomware deletes shadow copies with vssadmin, restricts remote desktop connections via registry edits, and stops database-related services such as MSSQLSERVER. This prevents file recovery and ensures encrypted databases cannot interfere with the attack.

Furthermore, it avoids encrypting critical system files and folders by excluding extensions like .sys, .exe, and .dll, and directories such as %SystemRoot% and %ProgramFiles%. This selective approach reduces the risk of system crashes that might prevent ransom payment.

The ransomware generates a 0x30-byte random number via RNG to derive the AES key and IV, then encrypts files in memory using BCryptEncrypt(). The pbSecret and IV values are themselves encrypted with RSA and appended to the file. Finally, metadata including the original file size and encryption flags are added. For large files, only the head, tail, and select middle sections are encrypted in a patterned stripe, striking a balance between speed and impact.

After completing encryption, the malware executes _eraser.bat, which leverages Windows’ built-in wevtutil.exe to delete all system event logs. This ensures investigators and incident responders have little forensic evidence to trace the attack.

Related Posts:

• Evolving Cybercrime: Inside the Russian-Speaking Underground
• Sophisticated Phishing Campaign Uses Multi-Layered Tactics to Deliver Malware
• Hackers Exploit Google Ads to Spread Malware Disguised as Popular Software
• RomCom Group’s Underground Ransomware Exploits Microsoft Zero-Day Flaw
• 200 million Japanese netizens’ personal data offered on the underground market