The Underground ransomware gang has claimed responsibility for the October 5 cyberattack on Japanese tech giant Casio, which led to system disruptions and affected some of the company’s services. Although Casio initially acknowledged the breach on its website, it withheld specific details, stating that external IT specialists were investigating whether personal or confidential data was compromised.
Today, the Underground ransomware group listed Casio on its dark web extortion site, leaking what they claim to be stolen data from the company. The disclosed information includes:
- Confidential documents (社外秘)
- Legal documents
- Personal data of employees
- Confidential NDAs
- Employee payroll information
- Patent information
- Company financial documents
- Project information
- Incident reports
If these claims are accurate, the breach has potentially compromised Casio’s workforce data and valuable intellectual property, which could have significant negative implications for the company’s business operations and reputation.
Underground ransomware overview
According to a Fortinet report from August 2024, *Underground* is a relatively small-scale ransomware operation that has been targeting Windows systems since July 2023. This ransomware strain is linked to the Russian cybercrime group *RomCom* (also known as *Storm-0978*), which previously used *Cuba ransomware* in its attacks.
During the summer of 2024, *Underground* operators were reported to have exploited *CVE-2023-36884*, a remote code execution vulnerability in Microsoft Office, as a likely infection vector. Once they successfully breach a system, the attackers modify the registry to keep Remote Desktop sessions active for up to 14 days after a user disconnects, ensuring they have extended access to the compromised systems.
### Key Characteristics of Underground Ransomware
– File Handling: The ransomware does not append any new file extensions to the encrypted files, and it is designed to skip essential file types necessary for Windows operation, thereby avoiding complete system breakdown.
– Data Handling: The attackers stop the MS SQL Server service on the compromised system to facilitate data encryption and theft, maximizing the impact of their attack.
– Data Recovery Prevention: Like most ransomware targeting Windows systems, *Underground* deletes shadow copies to prevent easy data restoration.
– Extortion Tactics: An unusual aspect of *Underground’s* approach is its use of the cloud storage service *Mega* to leak stolen data, promoting download links to these archives through its Telegram channel. This tactic ensures broader exposure and makes the stolen data more readily available.
– Victim Profile: The ransomware’s extortion portal currently lists 17 victims, most of whom are located in the United States.
The *Underground* ransomware group’s current tactics reflect a deliberate strategy to maintain access to compromised systems and maximize data exposure while avoiding detection and system disruption.