Underground is a ransomware family closely associated with the RomCom threat actor, also tracked as Storm-0978/DEV-0978. Microsoft and other reporting in the provided content describe Storm-0978 as deploying Underground in opportunistic ransomware, extortion-only, and double-extortion operations, with significant code overlap to Industrial Spy suggesting possible rebranding. Activity using Underground is noted from at least July 2023, and victims referenced in the content span telecommunications, finance, construction, pharmaceuticals, manufacturing, and other industrial sectors across North America, Europe, and Ukraine-related targeting contexts.
Reported initial access and delivery methods include exploitation of CVE-2023-36884 (Microsoft Office/Windows HTML RCE), phishing emails, trojanized legitimate software installers, and access obtained via Initial Access Brokers. The malware is described as deleting shadow copies via "vssadmin.exe delete shadows /all /quiet," stopping Microsoft SQL Server with "net.exe stop MSSQLSERVER /f /m," modifying Remote Desktop session settings under "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" by setting "MaxDisconnectionTime" to "1209600000," dropping ransom notes named "!!readme!!!.txt," encrypting files without changing extensions, and avoiding encryption of critical system files such as .sys, .exe, and .dll. It also creates a temporary script named "temp.cmd" to delete the original ransomware binary and clears Windows Event Logs to hinder forensic investigation.
The operators are reported to maintain a data leak site and a Telegram channel used to publish stolen data, including links to files hosted on Mega. As of July 2024, the leak site reportedly listed 16 victims. Sample hashes associated with Underground in the provided content include 9d41b2f7c07110fb855c62b5e7e330a597860916599e73dd3505694fd1bbe163, 9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f, cc80c74a3592374341324d607d877dcf564d326a1354f3f2a4af58030e716813, d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666, and eb8ed3b94fa978b27a02754d4f41ffc95ed95b9e62afb492015d0eb25f89956f.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The Underground ransomware is likely spread by the RomCom group (also known as Storm-0978). | The Underground ransomware is likely spread by the RomCom group (also known as Storm-0978). The group exploits the Microsoft Office and Windows HTML RCE vulnerability (CVE-2023-36884).
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The Underground ransomware is likely spread by the RomCom group (also known as Storm-0978).
1 distinct technique documented for this family, organized by ATT&CK tactic.
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Standalone credential extraction tool that injects a reflective DLL into suspended browser processes, uses named pipes and COM-based ABE bypass to decrypt browser keys, and writes passwords, cookies, payment cards, and tokens to C:\ProgramData\Underground. Torg Grabber scavenges its output in early builds.
Minimal-activity ransomware brand referenced as part of the long-tail of operators.
A ransomware family used in RomCom-linked monetization campaigns featuring double extortion.
A ransomware operation mentioned as conducting attacks across multiple countries/industries (including South Korea).
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.