{
  "name": "Underground Ransomware Being Distributed Worldwide",
  "slug": "underground-ransomware-being-distributed-worldwide",
  "description": "The Underground ransomware gang is conducting global attacks against companies across various countries and industries. First identified in July 2023, the group resurfaced in May 2024 with a new Dedicated Leak Site. Their targets include multinational corporations from diverse sectors, with annual revenues ranging from $20 million to $650 million. The ransomware uses a combination of RNG, AES, and RSA encryption techniques, with each file encrypted using a different AES key. The malware is designed to leave insufficient traces for decryption in the local environment. It categorizes files based on size and employs a striping method for larger files. The ransomware also deletes shadow copies, restricts remote desktop connections, and stops interfering services before encryption.",
  "published": "2025-08-27T14:22:15+00:00",
  "created_at": "2025-08-27T14:22:15+00:00",
  "modified_at": "2025-08-27T17:43:53+00:00",
  "created_at_opencti": "2025-08-27T14:22:15+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-08-27",
    "data theft",
    "encryption",
    "global attacks",
    "ransomware",
    "striping method",
    "underground ransomware"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "legacy:malware:8c7832c1dd8052f2",
        "name": "Underground ransomware",
        "slug": "underground-ransomware"
      }
    ],
    "intrusion_sets": [
      {
        "id": "d1cc2847-90cf-4691-a70e-d2cd7f2fc0be",
        "name": "Underground",
        "slug": "underground"
      }
    ],
    "attack_patterns": [
      {
        "id": "195d9773-4de3-4f61-b94d-a2b53cb65608",
        "name": "T1021.001"
      },
      {
        "id": "da44e22e-1925-42e4-b30d-ac38860d39bb",
        "name": "T1070.001"
      },
      {
        "id": "ecaaa4cc-d487-4002-bcb2-f769acfcc38f",
        "name": "T1490"
      },
      {
        "id": "e7d42089-23ed-495f-a2bc-c942c4e56fb7",
        "name": "T1573.002"
      },
      {
        "id": "93b2c4dd-5523-4464-8976-78754ee372fd",
        "name": "T1012"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1",
        "name": "T1486"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Slovakia"
      },
      {
        "id": "",
        "name": "Singapore"
      },
      {
        "id": "",
        "name": "Australia"
      },
      {
        "id": "",
        "name": "Taiwan"
      },
      {
        "id": "",
        "name": "United Arab Emirates"
      },
      {
        "id": "",
        "name": "Spain"
      },
      {
        "id": "",
        "name": "Canada"
      },
      {
        "id": "",
        "name": "France"
      },
      {
        "id": "",
        "name": "Germany"
      },
      {
        "id": "",
        "name": "United States of America"
      },
      {
        "id": "",
        "name": "Construction"
      },
      {
        "id": "",
        "name": "Technology"
      },
      {
        "id": "",
        "name": "Manufacturing"
      }
    ]
  },
  "external_refs": [
    "https://asec.ahnlab.com/en/89835",
    "https://otx.alienvault.com/pulse/68af30b7cd42cadb1e4cffbd"
  ]
}