team underground

Ransomware group profile

3Victims

RussiaSource country

73Impact score

Also Known As

Underground

TeamUnderground

Description

Team Underground is a sophisticated ransomware group known for its high-profile attacks on various industries since 2023. They utilize advanced encryption techniques and a dual-extortion model, threatening both data encryption and public exposure of sensitive information to extract ransoms. Operated primarily from Russia, they have been linked to significant financial losses for their victims.

Key insights

•Employs advanced encryption techniques and a dual-extortion model to maximize ransom payments.
•Targets critical sectors, including healthcare, logistics, and manufacturing, especially during vulnerabilities like the COVID-19 pandemic.
•Utilizes phishing attacks, exploitation of vulnerabilities, and Initial Access Brokers to gain entry into networks.
•Conducts operations that include both locking data and threatening to leak sensitive information if ransoms are not paid.
•Uses a custom-developed ransomware executable and complex obfuscation techniques to evade detection.

Industries

Education Energy & Utilities Financial Services Government & Defense Healthcare Manufacturing Other Retail & E-Commerce Technology Transportation

Threat Level & Status Breakdown

For team underground · Based on incidents in selected period

0.3threat level

Aggressiveness0.8/ 10

Lethality0/ 10

Criticality0/ 10

Status Breakdown

Claimed100.0%3

First seenJun 2025

Last seenAug 2025

Avg ransom—

Payment rate—

Statusactive

Sophistication0

Last updatedJun 2, 2026

Recent activity

Monthly attack count for team underground in the selected period

3Total attacks

2peak in Aug

1.5avg / month

↑ 1 vs first month

Intelligence

IOCs, YARA/Sigma rules, and related families for team underground

2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2
22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009

View full IOC feed35 total

TTPs & Attack Vectors

Tools, initial access, and MITRE ATT&CK techniques for team underground

CVE-2023-36884

Other

T1486

T1490

T1078

T1562

T1059

T1010

T1021

T1021.001

T1547

T1203

T1036

T1080

Victims(3)

Company	Domain	Country	Industry	Status	Discovered
SFA Engineering	—	—	Technology	Claimed	10 months ago
Sfa	sfa.co.kr	KR South Korea	Technology	Claimed	10 months ago
GMORS Co., Ltd	—	—	Manufacturing	Claimed	11 months ago

Affected countries(21)

Countries where this group has been reported to target or leak victims.