The S2W Threat Intelligence Center has released a threat group profiling report after a long time.
Last October, the Underground group claimed responsibility for the data breach of Company C, a major Japanese manufacturer of renowned watches and electronic devices. In December of the same year, they also claimed responsibility for a ransomware infection targeting Company S, a Korean semiconductor manufacturer.
This report provides an in-depth threat intelligence analysis, offering a detailed profile of the actor, the Underground ransomware group.
✅ Report Title:
Threat Group Profile: Underground
✅ Executive Summary:
1️⃣ Overview
The Underground ransomware group was first discovered by the overseas security firm Cyble on July 3, 2023, and is believed to have been active since at least July 2023.
They are known to upload lists of victimized companies and leaked data using platforms such as the dark web and Telegram channels.
2️⃣ Damage Status
Between January and November 2024, 19 companies were confirmed to have been victimized by the Underground ransomware group.
The most affected country was the United States (7 cases), with one case reported involving a domestic Korean company.
By industry, manufacturing (5 cases) suffered the most significant damage, followed by business services (4 cases) and retail (3 cases).
3️⃣ Intrusion Process
The Underground ransomware group and its affiliates are known to perform phishing campaigns or exploit vulnerabilities in unpatched software for initial access.
Subsequently, they use malware like RomCom to collect credential information and employ known tools like Impacket for lateral movement before deploying the ransomware.
4️⃣ Attack Tools
The Underground ransomware group uses RomCom malware to steal credentials, capture screen images, and enable remote control. They also use Impacket tools for lateral movement.
The Storm-0978 group, known for distributing Underground ransomware, has a history of using ransomware such as Industrial Spy and Trigona.
5️⃣ Key Characteristics
The Underground ransomware encrypts files by receiving the target directory name as an argument during execution. If no argument is provided, it encrypts all directories.
File encryption employs the 3DES + RSA algorithm, and the final 140 bytes of the encrypted file contain specific information:
- RSA-encrypted Key & IV (128 bytes)
- Original file size (8 bytes)
- File Marker: 0x31415926 (4 bytes)
6️⃣ Recent Developments
In October 2024, the Underground group claimed responsibility for attacking a major Japanese company, "C," and exfiltrating data. As a result, "C" hired external IT experts to investigate whether personal or confidential information had been stolen.
Additionally, on December 17, the Underground group claimed to have stolen critical data from South Korean semiconductor manufacturer "S."
Ransomware, a type of malware, threatens to damage or leak confidential data unless a ransom is paid, leveraging stolen data to substantiate its claims.
The stolen data disclosed by the hackers reportedly includes key documents such as the CEO's report, board materials, budget and financial data, and Apple partnership documents.
📌 Trends of Ransomware Groups Identified in Dark Web Big Data Over the Past Two Months
[October 2024]
In October, 510 companies were affected by ransomware attacks, with infection incidents disclosed on the leak sites operated by ransomware groups.
Key issues related to ransomware in October can be categorized into the following four areas:
(1) Threat Actor & Malware:
- A ransomware written in Go targeting both Windows and MacOS operating systems emerged, imitating LockBit.
- Rhysida group's multi-layer infrastructure was discovered and tracked, leading to the identification of a backdoor named CleanUpLoader.
(2) Vulnerability:
- Akira and Fog exploited the Veeam RCE vulnerability (CVE-2024-40711).
(3) Major Victims:
- A major Japanese company, C, experienced a system outage affecting some services due to an attack by the Underground group.
- Boston Children's Health Physicians fell victim to BianLian.
(4) Deep & Dark Web:
- The BlackBasta group expressed interest in purchasing a Windows RCE zero-day vulnerability on their leak site.
- Posts were uploaded to the XSS forum offering to sell source code and affiliate information stolen from DragonForce servers.
[November 2024]
In November, 584 companies were affected by ransomware attacks, with infection incidents disclosed on the leak sites operated by ransomware groups.
Key issues related to ransomware in November can be categorized into the following four areas:
(1) Threat Actor & Malware:
- The TTPs of the newly identified Helldown ransomware were disclosed.
- The advisory on BianLian issued by CISA was updated.
(2) Vulnerability:
- RomCom exploited zero-day vulnerabilities (CVE-2024-49039, CVE-2024-9680).
(3) Major Victims:
- The Cactus group claimed responsibility for attacking the Los Angeles Housing Authority (HACLA), one of the largest public housing agencies in the United States.
(4) Deep & Dark Web:
- A user named @NMZ provided details about SRans, an Android ransomware utilizing AES-256 encryption.
✅ Recommended Threat Detection and Mitigation Actions:
The S2W Threat Intelligence Center categorizes major issues related to ransomware groups occurring monthly into four categories:
1️⃣ Threat Actor & Malware
2️⃣ Vulnerability
3️⃣ Major Victims
4️⃣ Deep & Dark Web
Information about the Underground group was included in the October Major Victims category. You can stay updated on this group through continuous ransomware report monitoring.
*S2W Threat Intelligence provides its clients with a monthly report, “Story of the Month: Ransomware on the Darkweb,” via its platform, QUAXAR.
For detailed analysis and actionable recommendations for each category, please inquire about the full report through the link below.
🧑💻 Report Author: S2W TALON (Updated. 2024-11-20)
👉 Contact us: https://s2w.inc/en/contact