Kyung Chang Industrial Targeted: A Closer Look at the Ransomware Attack

Incident Date:

May 4, 2024

World map



Kyung Chang Industrial Targeted: A Closer Look at the Ransomware Attack


Kyung Chang Industrial


Underground Team


Daegu, South Korea

, South Korea

First Reported

May 4, 2024

Ransomware Attack on Kyung Chang Industrial by Underground Team

Company Profile: Kyung Chang Industrial

Kyung Chang Industrial Co., Ltd., established in October 1961, is a prominent player in the global automotive supply chain, specializing in the manufacturing of automotive drivetrain and chassis parts. With a workforce of 1,470 employees and annual sales reaching 588.7 billion Korean Won (434 M USD), the company stands out due to its extensive product range and significant market presence. Kyung Chang Industrial is a key supplier to major automotive manufacturers like Hyundai Motor Company, Kia Motors, and GM Korea. The company's commitment to quality and environmental management is underscored by its certifications in ISO9002, QS9000, TS16949, and ISO14001.

Details of the Ransomware Attack

The cyberattack on Kyung Chang Industrial was orchestrated by a group known as the Underground Team, utilizing a sophisticated ransomware strain. This attack resulted in the exfiltration of approximately 1.8 terabytes of sensitive data, including private documents, financial records, and personal information of employees. Notably, the attack did not specify a ransom demand but focused on the significant data breach, impacting the company's operational and financial confidentiality.

Technical Profile of Underground Team Ransomware

The Underground Team ransomware is a 64-bit GUI based application known for its aggressive tactics, including the deletion of backups, modification of registry settings, and halting critical services like MSSQLSERVER. This ransomware leverages API functions to identify system volumes and deploys its payload across multiple system folders, strategically encrypting files while avoiding certain filenames, extensions, and directories to remain undetected.

Infection Vector and System Penetration

The likely vector for the ransomware's entry into Kyung Chang Industrial’s systems was through social engineering tactics, possibly involving phishing emails with malicious attachments or links to compromised websites. These emails were presumably crafted to appear legitimate, enticing employees to inadvertently initiate the ransomware. This method highlights the importance of robust cybersecurity training and awareness among staff as a critical defense mechanism against such threats.


Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.