Underground Ransomware Continues to Attack Industries Of Various Sizes

Over the past year, the ransomware actor known as “Underground” has been less active than other groups, yet they remain a threat in the cybersecurity landscape.

Despite their reduced activity, Underground continues to target industries of various sizes, causing substantial disruptions and financial losses.

Lengthy Ransom Notes and Exfiltrated Data

According to Broadway reports, Underground is notorious for generating a lengthy ransom note, typically named! Unable to render embedded object: File (READ_ME) not found.!.txt. This note contains detailed information about the data that has been infiltrated.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs:Try Free Demo 

Victims are provided with an ID and a password, which they must use to connect with the ransomware group through a website on the TOR network.

Associated malicious indicators are blocked and detected by existing policies within VMware Carbon Black products.

The recommended policy is to block all types of malware (Known, Suspect, and PUP) from executing and delay execution for cloud scans to maximize the benefits of VMware Carbon Black Cloud reputation service.

While Underground may not be as active as other ransomware groups, their continued presence and ability to target various industries make them a persistent threat.

Organizations must remain vigilant and employ comprehensive cybersecurity measures to protect against sophisticated attacks.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Sign up for free