A new ransomware attack against a Ukrainian organization first spotted last week can be traced back to the notorious Russian military threat group Sandworm.
RansomBoggs ransomware was found on the networks of various Ukrainian organizations, according to researchers from the Slovak software company ESET, who first identified this wave of attacks.
Malware written in .NET is new, but its distribution is similar to previous attacks by Sandworm (…). There are similarities with previous attacks carried out by Sandworm. The PowerShell script used to deploy the .NET ransomware on domain controllers is virtually identical to the one we saw when Industroyer2 attacked the energy sector last April.
The Gang uses an alias for Monsters Inc. to sign a ransom note
The “POWERGAP” PowerShell script used to distribute the RansomBoggs payload onto victims’ networks also explains that it was also responsible for distributing the CaddyWiper destructive malware in an attack against Ukrainian organizations last March. bleeping computer.
RansomBoggs encrypts files with AES-256 in CBC mode using a random key (randomly generated, RSA encrypted and written to aes.bin) and adds a .chsch extension to all encrypted files transmitted over the victim’s network.
The RSA public key can either be hardcoded into the malware or passed as an argument, depending on the version of the attack. This ransomware is from Monsters Inc. It uses the identity of the film’s protagonist, James P. Sullivan, to leave a ransom note on an encrypted device.
Since October, transport and logistics organizations in Ukraine and Poland have been the target of Prestige ransomware attacks, and earlier this month Microsoft linked the attacks to the Sandworm cyberespionage group (tracked by Redmond to IRIDIUM).
According to MSTIC), “The Prestige campaign can highlight the calculated shift in IRIDIUM’s devastating attack calculations.” This means a greater risk to those providing or transporting assistance to Ukraine. Overall, it could pose a threat to Eastern European groups that the Russian government sees as supporting the conflict.
20 years of history
sandwormBleeping Computer explained that the elite Russian hacker group, which has been active for at least 20 years, may be part of Unit 74455 of Russia’s GRU’s Main Center for Special Technologies (GTsST). They are linked to the KillDisk wiper attack on Ukrainian banks and the 2015-2016 Ukraine blackout.
Sandworm is also suspected of developing the June 2017 NotPetya malware. In October 2020, the U.S. Department of Justice indicted six members of the organization for orchestrating a hacking operation related to the NotPetya ransomware attack, the 2018 PyeongChang Winter Olympics, and the 2017 French elections.
If you like this article, follow us. LinkedIn, Twitter, Facebook, Youtubeand Instagram Check out more cybersecurity news and topics.