The Underground ransomware gang, first identified in July 2023 and resurfacing in May 2024 with a new Dedicated Leak Site, is conducting widespread global ransomware attacks targeting multinational corporations across diverse industries. These targets typically have annual revenues between $20 million and $650 million, indicating a focus on mid-to-large enterprises. The ransomware employs a sophisticated encryption scheme combining Random Number Generation (RNG), AES (Advanced Encryption Standard), and RSA (Rivest–Shamir–Adleman) cryptographic techniques. Each file is encrypted with a unique AES key, enhancing the complexity of decryption efforts. For larger files, the ransomware uses a striping method, which segments files into parts before encryption, complicating recovery further. The malware categorizes files based on size to optimize encryption efficiency. Operationally, the ransomware is designed to minimize forensic traces by leaving insufficient data locally for decryption. It actively deletes shadow copies on infected systems, preventing restoration from backups stored in these snapshots. Additionally, it restricts Remote Desktop Protocol (RDP) connections and stops services that could interfere with the encryption process, ensuring uninterrupted execution. The tactics and techniques used align with MITRE ATT&CK IDs such as T1082 (System Information Discovery), T1112 (Modify Registry), T1070.001 (Clear Windows Event Logs), T1083 (File and Directory Discovery), T1562.001 (Impair Defenses: Disable or Modify Tools), T1027 (Obfuscated Files or Information), T1486 (Data Encrypted for Impact), T1573.002 (Encrypted Channel: Symmetric Cryptography), T1012 (Query Registry), T1021.001 (Remote Services: Remote Desktop Protocol), and T1490 (Inhibit System Recovery). Currently, there are no known exploits in the wild specifically targeting software vulnerabilities; the infection vector is not detailed but likely involves common ransomware delivery methods such as phishing, exploitation of weak credentials, or compromised remote access. The ransomware’s design to evade detection and complicate recovery makes it a formidable threat to targeted organizations.

For European organizations, the Underground ransomware poses a significant risk to operational continuity, data confidentiality, and integrity. The encryption of files with unique AES keys and the use of RSA for key protection make decryption without the attacker’s private key practically impossible. The deletion of shadow copies and disabling of recovery mechanisms severely limit the ability to restore systems without paying ransom or relying on offline backups. The restriction of RDP connections and stopping of interfering services can disrupt remote management and incident response efforts, prolonging downtime. Given the targeted companies’ revenue range, these organizations likely have complex IT environments with critical business processes dependent on timely data access. Disruption could lead to financial losses, reputational damage, regulatory penalties (especially under GDPR for data breaches or loss), and potential exposure of sensitive data if data theft accompanies encryption. The global and multi-sector nature of the attacks suggests a broad impact, with European companies in France, Germany, Slovakia, and Spain explicitly identified as affected, indicating active targeting in these countries. The sophistication of the ransomware also implies that smaller organizations with less mature cybersecurity defenses could be at risk if targeted in the future.

1. Implement robust, segmented, and regularly tested offline backups to ensure data recovery without paying ransom. Backups should be immutable and stored separately from production networks. 2. Harden RDP and other remote access services by enforcing multi-factor authentication (MFA), limiting access via VPNs or zero-trust network access (ZTNA), and monitoring for unusual login attempts. 3. Employ endpoint detection and response (EDR) solutions capable of detecting ransomware behaviors such as mass file encryption, shadow copy deletion, and service stoppage. 4. Monitor and restrict the use of administrative privileges to prevent unauthorized service stoppage and registry modifications. 5. Regularly update and patch all systems to reduce attack surface, even though no specific exploits are known, to prevent lateral movement and initial access. 6. Conduct user awareness training focused on phishing and social engineering, as these remain common ransomware infection vectors. 7. Implement network segmentation to contain infections and limit ransomware propagation. 8. Enable and monitor Windows event logs and other system telemetry to detect early signs of compromise, despite the malware’s attempts to clear logs. 9. Develop and rehearse incident response plans specifically addressing ransomware scenarios, including communication strategies and legal/regulatory compliance. 10. Collaborate with threat intelligence sharing communities to stay updated on emerging tactics and indicators related to the Underground ransomware group.