Discovery of a new ransomware: Underground

Articles

This week, GLIMPS’ CTI team analyzed a new ransomware : Undergroud, spotted during their daily watch.

Static strain analysis

0a08d9b027457da99725968eb4566eb836a7d503219ad5690f851caecabce93d

This file was analyzed by GLIMPS Malware as malicious. Thanks to this platform, we are able to effectively proceed to the analysis.

This ransomware family is not yet referenced into known data base, this led us to think that it is a new family ; furthermore, antivirus sotwares (signature analysis) are currently unware of it.

A study of the strings shows that a ransom note is indeed present called “%s!!readme!!!.txt”. “%s” being potentially a personalization variable which will be replaced by a victim identifier (victim name, random ID, etc…) when the ransomware is executed.

A TOR link appears enable you to contact the group using a login/password supplied in this same note.

Conclusion

We know thanks to GLIMPS Malware analysis, that we are indeed facing a ransomware. The functions and ransom note leave no doubts as to the categorization of the file. Indicators contained in the ransom note inform us that the group is called Underground.

Appendices

**List of files and artifacts**
Hash	Description
0a08d9b027457da99725968eb4566eb836a7d503219ad5690f851caecabce93d	Ransomware executable file

**List of indicators of compromission**
IOC	Description
%s!!readme!!!.txt	Ransom note
http://undgrddapc4reaunnrdrmnagvdelqfvmgycuvilgwb5uxm25sxawaoqd[.]onion	Ransom payment portal

Sources

A new #Ransomware is out named "Underground"!

Sample-
MD5: f60f0b756bda9b6aaff12c9768f0bc1ahttps://t.co/PiNiaaM8n1 #OSINT #hack #security #infosec #malware #cybersecurity #cybersec #UndergroundRansomware #bitcoin #blockchain #darkweb #deepweb #cyberattack #TOR #CISA #FBI pic.twitter.com/rZlItWHeMX

— RAKESH KRISHNAN (@RakeshKrish12) July 10, 2023

Please contact us to find out more: contact@glimps.re