underground
Intelligence Profile
Underground ransomware is deployed by the Russia-based RomCom group (Storm-0978) and has victimized companies across multiple industries since July 2023 by exploiting CVE-2023-36884, encrypting files without changing extensions and deleting Volume Shadow Copies and Windows event logs in double-extortion campaigns.
Threat Analysis
underground is a ransomware operation that deploys encryption-based extortion against organizations globally. This group maintains a data leak site (DLS) to pressure victims into paying ransom demands.
Financially motivated threat actors like underground prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.