Underground ransomware gang tactics against global organizations

The Underground ransomware gang has become a significant threat to organizations worldwide, first identified in July 2023 and resurfacing in May 2024 with a Dedicated Leak Site (DLS). Their attacks now target industries from the UAE to South Korea, employing tailored strategies that exploit stolen credentials and unpatched vulnerabilities.

Underground ransomware gang tactics against global organizationsUnderground ransomware gang tactics against global organizations

Once inside a system, the gang disables shadow copies, complicating recovery efforts. They use a dual encryption method, combining AES for file encryption and RSA for key wrapping, with no external communication during the process to hinder decryption.

Underground ransomware gang tactics against global organizationsUnderground ransomware gang tactics against global organizations

The malware executes a multi-stage payload, checking command-line parameters to avoid detection and deleting shadow copies while focusing on user-generated content. It generates a random AES key and IV for encryption, and uses a striping method for larger files. Finally, it erases Windows event logs to cover its tracks.

NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security