LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Group Profile Underground

Underground Ransomware: Group Profile

Underground ransomware is the extortion arm of RomCom, a Russia-linked threat actor with documented espionage and criminal operations. Active since June 2023, the group has claimed over 50 victims across government, healthcare, and manufacturing, with a distinctive dual mandate that sets it apart from purely criminal ransomware operations.

By Ransomware Tracker ·
UndergroundRomComStorm-0978ransomwareRussiaespionagedouble extortionhealthcaregovernmenthybrid threat
Threat Level
8/10
Sectors Targeted
government
healthcare
manufacturing
legal
Ransomware Family
Underground

Overview

Underground ransomware is the financially-motivated extortion component of RomCom, the Russia-linked threat actor tracked as Storm-0978 by Microsoft, UNC2596 by Mandiant, and Tropical Scorpius by CrowdStrike. This dual mandate — espionage and criminal extortion running in parallel — places Underground in a small category of ransomware operations where the criminal revenue generation and the intelligence collection cannot be cleanly separated.

The group launched Underground’s branded ransomware operation in June 2023, following a period in which RomCom was observed deploying INDUSTRIAL SPY ransomware without a distinct brand. Underground maintains a dark web leak site, uses double extortion, and has claimed over 50 victims. It operates without a public affiliate programme, conducting intrusions directly rather than through the Ransomware-as-a-Service model used by most major criminal ransomware groups.

Threat Actor Background: RomCom

Understanding Underground requires understanding RomCom’s broader structure, because the ransomware operation is not separable from the espionage activity.

RomCom has been active since at least 2019, with documented targeting across Ukrainian government organisations, NATO member state governments, defence organisations, and a parallel criminal thread targeting US healthcare and technology companies. The dual criminal/espionage mandate is unusual and significant: it creates ambiguity about whether any given victim was selected for financial extortion, for intelligence value, or both.

The group has demonstrated sophisticated technical capability, including the exploitation of Firefox (CVE-2024-9680) and Windows (CVE-2024-49039) as a zero-day exploit chain in November 2024 — a browser escape chained to a local privilege escalation, enabling code execution with no user interaction beyond visiting a compromised site. This level of technical investment is not typical of a purely criminal ransomware operator; it reflects the intelligence apparatus behind RomCom.

Malware and Technical Profile

RomCom RAT (also called ROMCOM, SnipBot variant): The primary backdoor used in intrusions. Modular, with plugin-based architecture allowing capability expansion post-deployment. Provides remote command execution, file operations, and credential harvesting. SnipBot, a recent variant documented in 2024, added the ability to receive commands via web forms to blend C2 traffic with legitimate web traffic.

PEAPOD (also called RomCom 4.0): A lighter-weight backdoor used for persistence in espionage operations, designed for lower footprint than the full RomCom RAT.

Underground ransomware encryptor: Windows-based, written in C++. Encrypts files and appends a .{group name} extension (varies by configuration). Drops a ransom note readme.txt with payment instructions. Does not include a Linux/ESXi variant as of mid-2026 — attacks against virtualised infrastructure require additional steps to reach VM storage.

Initial access: RomCom’s demonstrated zero-day capability (the Firefox/Windows chain), spear-phishing with malicious documents, and exploitation of public-facing services. The group has shown willingness to invest in sophisticated initial access for high-priority targets.

Targeting Profile

Underground’s victim set is concentrated in several areas:

Government and defence: Consistent with RomCom’s espionage mandate, government agencies and defence-adjacent organisations appear in both the intelligence-targeted intrusions and on the Underground leak site.

Healthcare: US healthcare organisations have been a repeated target. The healthcare sector’s dependence on operational continuity and the presence of sensitive data make it attractive for extortion regardless of any intelligence value. Underground has published patient data on its leak site following non-payment.

Manufacturing and professional services: Consistent with the broader ransomware ecosystem’s targeting of data-rich organisations where operational disruption creates leverage.

Geographic distribution: Predominantly US and European organisations, with some targeting aligned with Russian intelligence priorities (Ukrainian entities, organisations with exposure to NATO affairs).

Operational Characteristics

No public affiliate programme: Underground operates without a RaaS model. Intrusions are conducted by actors working directly with the RomCom infrastructure rather than through a tenant/affiliate relationship. This limits scale compared to RansomHub or Qilin but maintains tighter operational security.

Hybrid espionage-extortion: The inability to cleanly separate the espionage and criminal tracks means that some Underground victims may face continued surveillance even after paying a ransom. Intelligence-priority targets may be of interest to the Russia-linked actors whether or not the ransomware component succeeds. Paying the ransom removes the extortion pressure but does not remove the underlying access.

Dwell time: RomCom operations have historically maintained extended access in victim environments, consistent with intelligence-collection objectives. This longer dwell time, compared to purely criminal affiliates who typically move quickly to encryption, provides more opportunity for defenders to detect lateral movement before the encryptor deploys.

Leak site: Underground maintains a leak site on Tor that publishes stolen data from non-paying victims. The site has been observed publishing samples during active negotiations as a pressure tactic, consistent with double extortion operations across the ransomware ecosystem.

Detection and Response Considerations

Longer dwell time creates more detection windows. RomCom’s intelligence-collection objectives result in patient movement through environments compared to criminal-only affiliates. Hunting for RomCom RAT beaconing, unusual web traffic patterns (SnipBot’s web form C2 is distinctive), and anomalous access to sensitive document repositories may surface the intrusion before the ransomware stage.

Assume dual-purpose. Organisations targeted by Underground should treat any intrusion as potentially dual-purpose. Remediating the ransomware without fully evicting the espionage foothold is a common failure mode. Thorough forensic investigation of all persistence mechanisms, credential access, and data touched is essential.

Patch Firefox and Windows systems. The Firefox/Windows zero-day chain from 2024 (CVE-2024-9680 + CVE-2024-49039) demonstrated the group’s capability for browser-based initial access. Keeping browser and OS software current removes the most readily exploitable initial access vectors.

Watch for post-payment re-access. Given the intelligence mandate, paying a ransom should be followed by a full credential reset, identity audit, and network-level hunting for persistent access. The payment stops the extortion clock; it does not remove a motivated intelligence actor from your environment.

Assessment

Underground occupies an unusual position in the ransomware landscape: a financially productive criminal operation run by threat actors with intelligence objectives and the technical capability to pursue both simultaneously. The hybrid mandate creates analytical complexity — victims cannot assume the criminal rationale explains all of the adversary’s behaviour — and response complexity, since standard ransomware incident response may leave a higher-priority intelligence foothold unaddressed.

With over 50 claimed victims and continuing operations in 2026, Underground remains an active threat, particularly to US and European government, healthcare, and defence-adjacent organisations.

// Related Intelligence
Group Profile

Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus

Group Profile

Termite Ransomware: Group Profile, Babuk Origins, and High-Impact Supply Chain Targeting

Group Profile

Hunters International / World Leaks: From Hive Successor to Pure Extortion