Casio Hit by Underground Ransomware Gang: Stolen Data Leaked

October 10, 2024

The Underground ransomware group has declared its role in a cyber attack against Casio, a prominent Japanese technology company, on October 5. The attack led to system disruptions and affected some of the company's services. Despite Casio acknowledging the attack on its website, it refrained from providing specific details about the incident. Instead, it announced that it had employed external IT experts to determine whether personal or confidential information had been stolen during the attack.

In a recent development, the Underground ransomware group has listed Casio on its dark web extortion platform, releasing vast amounts of data purportedly stolen from the company. If these claims are accurate, the attack has potentially compromised Casio's workforce and intellectual property, which could have a detrimental effect on its business operations. Casio was contacted for a comment regarding the threat actors' allegations and the data leak, but no response was received at the time of writing. Thus, the veracity of the threat actor's claims remains unconfirmed.

A report from Fortinet in late August 2024 indicates that Underground is a relatively minor ransomware operation that has been targeting Windows systems since July 2023. The ransomware strain is linked to the Russian cybercrime group 'RomCom' (Storm-0978), known for delivering Cuba ransomware on compromised systems. During the summer, Underground ransomware operators reportedly exploited CVE-2023-36884, a remote code execution vulnerability in Microsoft Office, likely used as an entry point for infection.

After breaching a system, the attackers reportedly alter the registry to keep Remote Desktop sessions active for 14 days post-user disconnection, thus providing a substantial window to retain access to the system. The Underground ransomware does not add any file extensions to encrypted files and is designed to bypass file types crucial for Windows operation to avoid making the system inoperative. Additionally, it halts the MS SQL Server service to make data available for theft and encryption, thereby maximizing the impact of the attack. Like most Windows ransomware, Underground eliminates shadow copies to prevent easy data restoration.

Uniquely, Underground also disseminates the stolen data on Mega and promotes links to the archives hosted there through its Telegram channel, thereby increasing the data's exposure and accessibility. The extortion portal of Underground ransomware currently lists 17 victims, predominantly based in the USA. It remains uncertain whether the attack on Casio will propel the threat group into the mainstream, potentially leading to an increase in attack volume or pace.

Related News

• CISA Issues Warning over Exploitation of Sophos Web Appliance Vulnerability
• CISA Highlights Exploited Flaw in .NET and Visual Studio
• Microsoft Office Defense-In-Depth Update Thwarts Actively Exploited RCE Attack Chain
• Microsoft's August 2023 Patch Tuesday Addresses Two Zero-Days Among 87 Vulnerabilities
• Microsoft Reveals Unpatched Office Zero-Day Exploited During NATO Summit

Latest News

• Hackers Exploit GitHub and GitLab Platforms to Distribute Malware
• Palo Alto Networks Urges Customers to Patch Firewall Vulnerabilities
• Emergency Security Update Issued by Mozilla for Firefox Zero-Day Exploited in Attacks
• Automated Scanner Developed to Detect Servers Vulnerable to CUPS RCE Attacks
• Microsoft's October 2024 Patch Tuesday Addresses Five Zero-days and 118 Vulnerabilities