Casio faces alleged ransomware attack from the Underground gang

October 14, 2024
Casio Tech Company Ransomware Attack Undergound Ransomware Dark Web

The Underground ransomware gang claimed responsibility for the attack on Casio earlier this month. Based on reports, the cyberattack has caused system interruptions and disrupted some of the Japanese tech company’s services.

Casio confirmed this attack last week but did not disclose further details. It also stated that it had already contacted a third-party security provider to check whether personal data or other data had been stolen.

 

The Underground ransomware group exposed some alleged data on its extortion site.

 

The Underground ransomware gang included Casio in its victims’ list on its dark web extortion domain. Additionally, this threat group released massive amounts of data allegedly stolen from the Japanese company, such as confidential documents, employee payroll information, patent information, company financial documents, legal documents, personal information of employees, confidential NDAs, project information, and incident reports.

Researchers believe the compromised data could impact Casio’s staff and intellectual property if legitimate. Still, the threat group’s allegations remain unverified since Casio has yet to confirm the attack on any inquiry.

Since July last year, the Underground ransomware group has been conducting a relatively small-scale operation targeting Windows PCs. In addition, various research has linked this ransomware to the Russian cybercriminal operation dubbed RomCom.

Further reports also stated that the Underground ransomware operators recently exploited the CVE-2023-36884 RCE flaw in Microsoft Office, which they most likely used as an infection vector. Once the attackers compromise their targeted machine using the RCE bug, they can change the registry to keep Remote Desktop sessions active for 14 days after the user disconnects.

This tactic allowed them to establish persistence on the device and obtain continuous access to the system. However, the Underground group does not use file extensions to encrypt files, and it is set to bypass file types required for Windows operations to prevent rendering the system unusable.

It also disables the MS SQL server service, freeing up data for theft and encryption and increasing the attack’s impact. Like most ransomware, this variant deletes shadow copies, making easy data restoration difficult.

As of now, the Underground ransomware’s extortion portal lists 17 victims, most of whom are in the US. Therefore, companies and users in the extortion portal should be wary of their digital presence, as they are susceptible to other malicious activities.

About the author

Leave a Reply