Fiche d’identité Underground

The Underground Team Ransomware emerged in July 2023. It was quickly linked to the Storm-0978 group, known for deploying the Industrial Spy ransomware and using the ROMCOM backdoor (cyber-espionage attacks via phishing).

• Developed in C/C++
• Operates on 64-bit systems
• Deletion of VSS (Volume Shadow Service, Windows utility for computer backup)
• Registry key modifications
• Stops the MSSQLSERVER service
• Modifies RDP session timeout settings
• Enables RDP protocol for remote access
• Executes a “temp.cmd” script after encryption to remove all traces (logs via wevtutil and self-destruction)
• Ransom note with a .onion link (darkweb URL extension) that allows contacting operators via chat
• Uses 3DES algorithm for encryption
• Encryption exception is made for the “VIPinfo.txt” file and directories containing the following strings:
• Windows
• Microsoft
• google\chrome
• mozilla\firefox
• \opera
• Blacklist of certain extensions (to avoid compromising the system and only target important files like doc, pdf)

The string extraction module of GLIMPS Malware Expert allows recovery of the ransom note confirming this is the “Underground Team” group.

We also observe the presence of IP addresses indicating prior network reconnaissance.

As of July 2024, only 18 attacks by this group’s ransomware are recorded. These include companies in the healthcare, construction, and IT sectors. Note that even though the group no longer lists victims, the Storm-0978 actor remains active in phishing campaigns.

URLs:

• undgrddapc4reaunnrdrmnagvdelqfvmgycuvilgwb5uxm25sxawaoqd[.]onion
• http://ehehqyhw3iev2vfso4vqs7kcrzltfebe5vbimq62p2ja7pslczs3q6qd[.]onion/auth/login
• http://47glxkuxyayqrvugfumgsblrdagvrah7gttfscgzn56eyss5wg3uvmqd[.]onion

Ransom note:
!!readme!!!.txt

Feel free to contact us to learn more: contact@glimps.re