Underground Ransomware Being Distributed Worldwide

SUMMARY :

The Underground ransomware gang is conducting global attacks against companies across various countries and industries. First identified in July 2023, the group resurfaced in May 2024 with a new Dedicated Leak Site. Their targets include multinational corporations from diverse sectors, with annual revenues ranging from $20 million to $650 million. The ransomware uses a combination of RNG, AES, and RSA encryption techniques, with each file encrypted using a different AES key. The malware is designed to leave insufficient traces for decryption in the local environment. It categorizes files based on size and employs a striping method for larger files. The ransomware also deletes shadow copies, restricts remote desktop connections, and stops interfering services before encryption.

OPENCTI LABELS :

ransomware,encryption,data theft,striping method,global attacks,underground ransomware


AI COMMENTARY :

1. Introduction to Underground Ransomware Being Distributed Worldwide The threat intelligence community has sounded the alarm on a sophisticated operation known only as Underground ransomware. First identified in July 2023, this underground ransomware gang reemerged in May 2024 with a Dedicated Leak Site, signaling renewed intent to inflict maximum damage on organizations across the globe. By targeting companies with annual revenues ranging from 20 million to 650 million dollars, the group demonstrates an ability to scale its global attacks against diverse sectors, exploiting weaknesses in both security and operational resilience.

2. Evolution and Resurgence After a brief period of inactivity, Underground ransomware resurfaced with more advanced capabilities and a dedicated digital platform for data theft. The emergence of its new Leak Site underscores the gang’s commitment to extortion, publishing sensitive files when victims refuse to pay. This evolution reveals a pattern of persistent innovation, as the group continuously refines its tools to evade detection and maximize leverage over exposed companies. The timeline from July 2023 to May 2024 highlights a strategic pause followed by a forceful comeback, underscoring the importance of continuous threat monitoring.

3. Encryption and Technical Sophistication At the heart of this threat lies a powerful encryption engine combining RNG, AES, and RSA algorithms. Each file is encrypted with a unique AES key, preventing bulk decryption efforts. For larger files, the malware employs a striping method that fragments data into manageable segments, further complicating recovery. By design, Underground ransomware leaves minimal traces within the local environment, frustrating forensic analysis. In addition to strong cryptography, it deletes shadow copies and halts interfering services, ensuring that traditional backup-based recovery options are rendered ineffective without properly secured offsite data repositories.

4. Operational Tactics and Impact Beyond pure encryption, Underground ransomware takes deliberate steps to incapacitate victim systems. Remote desktop connections are restricted to prevent administrators from intervening, while critical services are stopped to eliminate chances of rollback. The gang’s approach to data theft is equally ruthless, leveraging the Dedicated Leak Site as both a pressure point and a public demonstration of capability. Victims who refuse to comply with ransom demands face the prospect of sensitive information being exposed to competitors or the broader internet, inflicting reputational damage in addition to financial loss.

5. Global Reach and Affected Industries Underground ransomware’s campaign extends across continents, striking corporations in North America, Europe, and Asia. Industries as varied as manufacturing, healthcare, finance, and technology have reported disruptions, illustrating that no vertical is immune. With annual revenues ranging from 20 million to 650 million dollars, targeted organizations share a common trait: they possess critical data whose compromise would cause significant operational and financial pain. The gang’s ability to infiltrate networks worldwide demonstrates the universal demand for robust security controls and proactive threat intelligence.

6. Strategies for Defense and Mitigation Organizations can defend against Underground ransomware by implementing a layered security architecture. Regular, immutable backups stored offsite are vital to withstand aggressive encryption tactics. Network segmentation and strict access controls limit lateral movement, while endpoint detection and response platforms can help identify early indicators of compromise. Ongoing vulnerability management and timely patching reduce attack surfaces. Equally important are employee training programs that emphasize phishing awareness, since many ransomware campaigns begin with social engineering. Finally, a well-rehearsed incident response plan ensures that if encryption occurs, affected teams can quickly isolate systems, preserve forensic evidence, and restore operations with minimal data loss.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Underground Ransomware Being Distributed Worldwide