Casio Suffers Devastating Cyber Attack: Underground Ransomware Leaks Critical Stolen Data

We have recently learned that the Underground ransomware gang has taken credit for an attack on Casio, the Japanese tech giant, on October 5. The attack caused disruptions in the company’s systems and affected some of its services.

Earlier this week, Casio acknowledged the attack on its website but did not provide any specifics. Instead, they mentioned that external IT specialists were brought in to determine if any personal data or other confidential information was stolen during the breach.

Now, the Underground ransomware group has posted information on its dark web extortion portal, claiming they have stolen a significant amount of data from Casio.

The stolen data allegedly includes:

• Confidential documents (社外秘)
• Legal documents
• Personal data of employees
• Confidential NDAs
• Employee payroll information
• Patents information
• Company financial documents
• Project information
• Incident reports

If these claims are true, Casio’s workforce and intellectual property have been significantly compromised, potentially harming the company’s business operations.

We contacted Casio to request a comment on these claims and the data leak, but we have not received any response. As such, we cannot verify the authenticity of the threat actor’s statements at this time.

Underground ransomware: A brief overview

According to a Fortinet report from August 2024, Underground is a relatively small-scale ransomware operation that has been targeting Windows systems since July 2023. The operation is associated with the Russian cybercrime group ‘RomCom’ (Storm-0978), previously known for delivering Cuba ransomware on breached systems.

Fortinet’s report indicates that over the summer, Underground ransomware operators exploited CVE-2023-36884, a remote code execution flaw in Microsoft Office, likely used as an infection vector. Once a system is breached, the attackers modify the registry to keep Remote Desktop sessions alive for 14 days after user disconnection, providing ample time for them to maintain access to the system.

Interestingly, Underground does not add any file extensions to encrypted files and is designed to avoid file types essential for Windows operation, ensuring the affected system remains functional. The ransomware also stops the MS SQL Server service to free up data for theft and encryption, maximizing the impact of the attack.

Like most Windows ransomware strains, Underground deletes shadow copies to make data restoration extremely difficult.

One unique aspect of Underground’s extortion tactics is that it also leaks stolen data on Mega, promoting links to archives hosted there via its Telegram channel. This strategy increases the exposure and availability of the stolen information.

Currently, Underground ransomware’s extortion portal lists 17 victims, with the majority based in the USA.

It remains to be seen whether the Casio attack will serve as the catalyst for the threat group to gain mainstream attention and increase the frequency and scale of its attacks.

As cybersecurity experts, we believe it’s essential for businesses and individuals to stay informed about the latest threats and best practices for protecting their valuable data. We encourage you to contact us and keep coming back to learn more about the ever-evolving world of cybersecurity.