Skip to content
Ransomware group

Underground

Underground is a ransomware family closely associated with the RomCom threat actor, also tracked as Storm-0978/DEV-0978.

Profile source: Mallory opens in a new tab

Underground

Family profile

Underground is a ransomware family closely associated with the RomCom threat actor, also tracked as Storm-0978/DEV-0978. Microsoft and other reporting in the provided content describe Storm-0978 as deploying Underground in opportunistic ransomware, extortion-only, and double-extortion operations, with significant code overlap to Industrial Spy suggesting possible rebranding. Activity using Underground is noted from at least July 2023, and victims referenced in the content span telecommunications, finance, construction, pharmaceuticals, manufacturing, and other industrial sectors across North America, Europe, and Ukraine-related targeting contexts.

Reported initial access and delivery methods include exploitation of CVE-2023-36884 (Microsoft Office/Windows HTML RCE), phishing emails, trojanized legitimate software installers, and access obtained via Initial Access Brokers. The malware is described as deleting shadow copies via "vssadmin.exe delete shadows /all /quiet," stopping Microsoft SQL Server with "net.exe stop MSSQLSERVER /f /m," modifying Remote Desktop session settings under "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" by setting "MaxDisconnectionTime" to "1209600000," dropping ransom notes named "!!readme!!!.txt," encrypting files without changing extensions, and avoiding encryption of critical system files such as .sys, .exe, and .dll. It also creates a temporary script named "temp.cmd" to delete the original ransomware binary and clears Windows Event Logs to hinder forensic investigation.

The operators are reported to maintain a data leak site and a Telegram channel used to publish stolen data, including links to files hosted on Mega. As of July 2024, the leak site reportedly listed 16 victims. Sample hashes associated with Underground in the provided content include 9d41b2f7c07110fb855c62b5e7e330a597860916599e73dd3505694fd1bbe163, 9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f, cc80c74a3592374341324d607d877dcf564d326a1354f3f2a4af58030e716813, d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666, and eb8ed3b94fa978b27a02754d4f41ffc95ed95b9e62afb492015d0eb25f89956f.

Ransomware.live

Operational record

View group record ↗

Reported operators

Threat actors

1 named in public reporting
RomCom

The Underground ransomware is likely spread by the RomCom group (also known as Storm-0978).

Exploited software

Vulnerabilities linked to Underground

1 CVEs

MITRE ATT&CK

Underground in ATT&CK

1 distinct techniques

Reporting

Research mentioning Underground

Mar 24
Gen Insights Research

Gen Blogs | Torg Grabber: Anatomy of a New Credential Stealer

Early Torg Grabber builds contained code to harvest credentials from C:\ProgramData\Underground... “Underground” isn’t a browser at all. It’s a standalone credential extraction tool with a two-stage architecture...

Dec 9
Dragos

Dragos Industrial Ransomware Analysis: Q3 2025 | Dragos

“Minimal-activity Groups… such as Underground… each registered one incident.”

Oct 2
Picus Security

RomCom Threat Actor Evolution (2023-2025)

Ransomware: RomCom deploys Industrial Spy, Underground, and Cuba ransomware in double extortion campaigns...

Sep 1
The Hacker News

⚡ Weekly Recap: WhatsApp 0-Day, Docker Bug, Salesforce Breach, Fake CAPTCHAs, Spyware App & More

the Underground and NightSpire ransomware gangs have launched ransomware attacks against companies in various countries and industries

Aug 14
Dragos

OT Ransomware Trends: Q2 2025 Analysis & Insights | Dragos

“Newly identified ransomware groups… Underground…”

Aug 29
Contagiodump

contagio: 2024-08-29 UNDERGROUND Ransomware Samples

The Underground ransomware is likely spread by the RomCom group (also known as Storm-0978).

Jul 11
Tenable

Microsoft’s July 2023 Patch Tuesday Addresses 130 CVEs (CVE-2023-36884) - Blog | Tenable®

...known for conducting ransomware attacks, including extortion-only campaigns, using a ransomware known as Underground.

Jul 11
Microsoft Security

Storm-0978 attacks reveal financial and espionage motives | Microsoft Security Blog

Since as early as July 2023, Storm-0978 began to use a ransomware variant called Underground, which contains significant code overlaps with the Industrial Spy ransomware.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.