The Underground ransomware is likely spread by the RomCom group (also known as Storm-0978).
Underground
Underground is a ransomware family closely associated with the RomCom threat actor, also tracked as Storm-0978/DEV-0978.
Profile source: Mallory opens in a new tabUnderground
Family profile
Underground is a ransomware family closely associated with the RomCom threat actor, also tracked as Storm-0978/DEV-0978. Microsoft and other reporting in the provided content describe Storm-0978 as deploying Underground in opportunistic ransomware, extortion-only, and double-extortion operations, with significant code overlap to Industrial Spy suggesting possible rebranding. Activity using Underground is noted from at least July 2023, and victims referenced in the content span telecommunications, finance, construction, pharmaceuticals, manufacturing, and other industrial sectors across North America, Europe, and Ukraine-related targeting contexts.
Reported initial access and delivery methods include exploitation of CVE-2023-36884 (Microsoft Office/Windows HTML RCE), phishing emails, trojanized legitimate software installers, and access obtained via Initial Access Brokers. The malware is described as deleting shadow copies via "vssadmin.exe delete shadows /all /quiet," stopping Microsoft SQL Server with "net.exe stop MSSQLSERVER /f /m," modifying Remote Desktop session settings under "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" by setting "MaxDisconnectionTime" to "1209600000," dropping ransom notes named "!!readme!!!.txt," encrypting files without changing extensions, and avoiding encryption of critical system files such as .sys, .exe, and .dll. It also creates a temporary script named "temp.cmd" to delete the original ransomware binary and clears Windows Event Logs to hinder forensic investigation.
The operators are reported to maintain a data leak site and a Telegram channel used to publish stolen data, including links to files hosted on Mega. As of July 2024, the leak site reportedly listed 16 victims. Sample hashes associated with Underground in the provided content include 9d41b2f7c07110fb855c62b5e7e330a597860916599e73dd3505694fd1bbe163, 9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f, cc80c74a3592374341324d607d877dcf564d326a1354f3f2a4af58030e716813, d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666, and eb8ed3b94fa978b27a02754d4f41ffc95ed95b9e62afb492015d0eb25f89956f.
Ransomware.live
Operational record
Reported operators
Threat actors
1 named in public reportingExploited software
Vulnerabilities linked to Underground
1 CVEsMITRE ATT&CK
Underground in ATT&CK
1 distinct techniquesTechniques
1 techniqueReporting
Research mentioning Underground
Gen Blogs | Torg Grabber: Anatomy of a New Credential Stealer
Early Torg Grabber builds contained code to harvest credentials from C:\ProgramData\Underground... “Underground” isn’t a browser at all. It’s a standalone credential extraction tool with a two-stage architecture...
Dragos Industrial Ransomware Analysis: Q3 2025 | Dragos
“Minimal-activity Groups… such as Underground… each registered one incident.”
RomCom Threat Actor Evolution (2023-2025)
Ransomware: RomCom deploys Industrial Spy, Underground, and Cuba ransomware in double extortion campaigns...
⚡ Weekly Recap: WhatsApp 0-Day, Docker Bug, Salesforce Breach, Fake CAPTCHAs, Spyware App & More
the Underground and NightSpire ransomware gangs have launched ransomware attacks against companies in various countries and industries
OT Ransomware Trends: Q2 2025 Analysis & Insights | Dragos
“Newly identified ransomware groups… Underground…”
contagio: 2024-08-29 UNDERGROUND Ransomware Samples
The Underground ransomware is likely spread by the RomCom group (also known as Storm-0978).
Microsoft’s July 2023 Patch Tuesday Addresses 130 CVEs (CVE-2023-36884) - Blog | Tenable®
...known for conducting ransomware attacks, including extortion-only campaigns, using a ransomware known as Underground.
Storm-0978 attacks reveal financial and espionage motives | Microsoft Security Blog
Since as early as July 2023, Storm-0978 began to use a ransomware variant called Underground, which contains significant code overlaps with the Industrial Spy ransomware.