Security & Compliance Automation Platform
UnderDefense MAXI is the solution to day-to-day cybersecurity problems of IT leaders and teams. It builds your 24/7 business protection together with you on the driver’s seat.
UnderDefense MAXI Platform
UnderDefense Secures Top Honor at the 2025 Global Infosec Awards
We’re proud of being a winner at the 2025 Global Infosec Awards…
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
24/7 Threat Detection & MAXImum Responsiveness
Our human-led MDR service combines expert insight and automation and AI for fast, precise threat response. Get full context in 2 minutes and cut MTTC to 15, staying ahead of ransomware and other attacks.
Calculate your MDR price
Pay only for the services you actually need, with no hidden costs.
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Spot threats faster and respond smarter than tools alone
24/7 MDR and SOC services led by award-winning security experts. We act as an extension to your team or as a fully remote team, providing detailed threat insights and actionable responses to secure your environment immediately.
UnderDefense is an AWS Partner
We’re excited to announce that UnderDefense is now an AWS partner and available on AWS Marketplace…
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Belsen Group ransomware recovery team on standby
Belsen Group made an immediate impact in early 2025 by freely distributing a dataset of 15,000 FortiGate firewall configurations — including credentials and firewall rules — harvested via CVE-2022-40684. Isolate affected systems and contact UnderDefense immediately — if your FortiGate devices are in that dataset, your network may already be compromised.
Average Mttc
Ransom-Free recovery rate
Avoided in ransom
Global availability
Systems restored
IR experts
Ransomware cases resolved
IR experience
Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:
Contact us now for urgent ransomware response assistance, 24/7
Get Help Now
Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.
Momentum Leader in MDR
Best Support in MDR & IR
Managed Detection and Response (MDR)
Top Cybersecurity Company 2025
Best Managed Detection and Response Service
#4 of 184 teams Splunk Boss of the SOC
Best Of Cybersecurity Awards for Q1 2025
AWS Partner
Splunk Manage Premier Partner
Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.
Taking the right steps in the first moments after a Belsen Group attack can make a huge difference and help you make a full recovery. Request 24/7 Belsen Group ransomware recovery services to decrypt your data and maximize your chances of restoring operations.
Belsen Group infections (when encryption occurs) display .belsen extension and ransom notes named BELSEN_NOTICE.txt. However, the group’s primary methodology focuses on data exfiltration and sale/publication rather than traditional ransomware encryption. Initial compromise traces to unpatched FortiGate VPN devices (CVE-2022-40684) and internet-facing services.
AES-256-GCM when encryption deployed, but often skipped entirely in favor of pure data extortion.
Hybrid extortion group: acquires stolen data (likely from CVE-2022-40684 exploitation or purchases from access brokers), publishes subsets for leverage, demands ransom for complete removal. Data appears to be accumulated rather than freshly obtained per target.
Pure data extortion: publishes corporate configurations, credentials, internal documentation. Threatens ongoing public release and sale to third parties. Ransom for "permanent" data destruction, though verification difficult.
Network infrastructure-focused: FortiGate firewalls, VPN configurations. Enterprise network topology data exfiltrated.
BELSEN_NOTICE.txt (when deployed) with Tor contact URL. Standard extortion language with emphasis on network infrastructure sensitivity.
Minimal encryption deployed; recovery focuses on access elimination.
File Extensions
.belsen (rare; data exfiltration-focused)
Ransom Note Filenames
BELSEN_NOTICE.txt, BELSEN_DATA_SEIZED.txt
Belsen Hashes
Limited malware samples available; group primarily uses stolen data as leverage.
Belsen Tools
– Credential Dumping: FortiGate credential extraction
– Data Acquisition: CVE-2022-40684 exploitation, stolen data purchases
– Exfiltration: FTP, SSH tunnels, cloud storage
– Lateral Movement: Primarily unnecessary (focuses on stolen data leverage)
– Malware: Limited custom malware development observed
Most Common Red Flag
FortiGate configuration file appearance on dark web or underground forums, leaked firewall admin credentials, VPN encryption keys published on data sites.
Attack vector | % of Belsen incidents | Notes |
CVE-2022-40684 Exploitation | 70% | Historical FortiGate compromise data |
Stolen Data Acquisition | 20% | Purchased from access brokers |
Internet-Facing Services | 10% | Direct network reconnaissance |
15,000 FortiGate configs leaked (2022 incident data). Approximately 30+ organizations directly threatened via leaked infrastructure data. Ransom demands: $50K–$1M. Payment rate: 15–25% (skepticism due to continued publication despite payment). Multiple victims reported ongoing data publication regardless of ransom.
Belsen primarily extorts via stolen data, not encryption. Remove impact: 1) Revoke all exposed credentials, 2) Regenerate FortiGate encryption keys, 3) Implement network segmentation, 4) Deploy enhanced VPN monitoring, 5) Rotate all system credentials post-incident.
Recovery priorities: 1) Assume all exposed credentials compromised; revoke immediately, 2) Assess what infrastructure data was leaked (which systems, topology), 3) Monitor for subsequent attacks leveraging leaked configurations, 4) Implement threat intelligence monitoring for further data publication, 5) Engage law enforcement for stolen data tracking.
Documented demands: $50,000–$1,000,000. Average settlement: $150,000–$300,000. Payment reliability: low (continued publication reported despite payment).
10 reasons why you should choose the UnderDefense ransomware recovery consulting services:
Get Help NowBelsen Group is an emerging extortion operation (early 2025) focusing on stolen network infrastructure data, particularly FortiGate firewall configurations. The group leverages the 2022 CVE-2022-40684 breach (15,000 leaked configs) and appears to have acquired or compiled extensive stolen infrastructure data from multiple sources.
Threat intelligence suggests Belsen primarily leverages data from 2022 CVE-2022-40684 exploitation and purchased/compiled stolen data rather than conducting fresh attacks. Some configs appear 2–3 years old, indicating accumulated stolen data monetization strategy.
FortiGate VPN appliances are critical network chokepoints. Leaked configurations expose internal network topology, VPN user accounts, and encryption details. This data enables follow-on attacks (lateral movement, targeting specific systems). Infrastructure data is high-value to competitors and nation-states.
CVE-2022-40684: authentication bypass in FortiGate VPN devices allowing unauthenticated admin access. Exploitation by threat actors in 2022 compromised thousands of devices. Belsen appears to leverage configs stolen during this period (or purchased from those who exploited it).
Decryption rarely necessary; Belsen focuses on data extortion not encryption. Primary recovery requires credential rotation and infrastructure re-hardening rather than decryption.
Belsen publishes leaked FortiGate configs on underground forums, potentially enabling direct attacker access. Competitors may purchase data for intelligence. Some victims reported continued publication despite ransom payment, suggesting unreliable agreements.
1) Immediately patch all FortiGate devices (prioritize CVE-2022-40684); 2) Audit and revoke all VPN user accounts; 3) Regenerate FortiGate encryption certificates; 4) Implement MFA on all VPN access; 5) Deploy network segmentation limiting VPN access to critical systems; 6) Monitor dark web for leaked infrastructure data; 7) Implement EDR on systems accessing VPN.
1) Assume all network topology, credentials, and configurations are compromised; 2) Revoke all exposed credentials immediately; 3) Regenerate encryption keys and certificates; 4) Notify law enforcement (FBI) and security teams; 5) Monitor for follow-on attacks leveraging exposed infrastructure data; 6) Implement threat intelligence alerts for continued data publication; 7) Deploy enhanced monitoring on all systems mentioned in leaked configs; 8) Post-incident, conduct comprehensive network audit and hardening; 9) Review access logs for evidence of VPN compromise duration; 10) Monitor competitive intelligence channels for data acquisition.
Traditional data breaches (customer records, financials) enable fraud or regulatory fines. Infrastructure data (network topology, VPN configs, encryption keys) enables direct attacker access to critical systems. A competitor purchasing leaked infrastructure data gains complete network access, making infrastructure extortion extraordinarily high-leverage.
Belsen operates primarily on stolen data monetization rather than fresh victim targeting. The group appears to be data broker-adjacent, accumulating and reselling network infrastructure data rather than conducting custom attacks. This suggests lower operational overhead but higher data risk for affected organizations.