Several Ukrainian organizations were hit by Russia-based RansomBoggs Ransomware in the last week, ESET reports.
Researchers from ESET observed multiple attacks involving a new family of ransomware, tracked as RansomBoggs ransomware, against Ukrainian organizations.
The security firm first detected the attacks on November 21 and immediately alerted the CERT US. The ransomware is written in .NET and experts noticed that deployment is similar to previous attacks attributed to the Russia-linked Sandworm APT group.
On November 21st #ESETResearch detected and alerted @_CERT_UA of a wave of ransomware we named #RansomBoggs, deployed in multiple organizations in Ukraine. While the malware written in .NET is new, its deployment is similar to previous attacks attributed to #Sandworm. 1/9 pic.twitter.com/WyxzCZSz84
— ESET research (@ESETresearch) November 25, 2022
Sandworm (aka BlackEnergy and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).
The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017, causing billions worth of damage.
In April, Sandworm targeted energy facilities in Ukraine with a new strain of the Industroyer ICS malware (INDUSTROYER2) and a new version of the CaddyWiper wiper.
The APT hacking group is believed to have been behind numerous attacks this year, including an attack on Ukrainian energy infrastructure and the deployment of a persistent botnet called “Cyclops Blink” dismantled by the US government in April.
From August 2022, Recorded Future researchers observed a rise in command and control (C2) infrastructure used by Sandworm (tracked by Ukraine’s CERT-UA as UAC-0113).
In September 2022, Sandworm has been observed impersonating telecommunication providers to target Ukrainian entities with malware.
The analysis of the RansomBoggs Ransomware code revealed that the authors make multiple references to the Pixar movie Monsters, Inc. The ransom note, SullivanDecryptsYourFiles.txt, shows the authors impersonating the main character of the movie James P. Sullivan and the executable file is also named Sullivan.<version?>.exe .
Threat actors used a PowerShell script to spread the ransomware, the experts noticed that it is almost identical to the script detected in April during the Industroyer2 attacks against the energy sector
There are similarities with previous attacks conducted by #Sandworm: a PowerShell script used to distribute the .NET ransomware from the domain controller is almost identical to the one seen last April during the #Industroyer2 attacks against the energy sector. 4/9 pic.twitter.com/fdh6A2FCXk
— ESET research (@ESETresearch) November 25, 2022
The PowerShell script was tracked by CERT UA as POWERGAP and was used to deploy the CaddyWiper wiper in April attacks against Ukrainian entities.
RansomBoggs encrypts files using AES-256 in CBC mode and appends the .chsch extension to the encrypted files. The key is then RSA encrypted and written to aes.bin.
In some of the variants analyzed by ESET, the RSA public key was hardcoded, while in other samples it was provided as an argument.
In October, Microsoft reported a similar campaign targeting entities in Ukraine and Poland with ransomware called Prestige and attributed the attacks to Sandworm.
ESET also shared Indicators of Compromise (IoCs) for RansomBoggs ransomware.
IoCs:
F4D1C047923B9D10031BB709AABF1A250AB0AAA2
021308C361C8DE7C38EF135BC3B53439EB4DA0B4
ESET Detection names:
MSIL/Filecoder.Sullivan.A
MSIL/Filecoder.RansomBoggs.A
9/9
— ESET research (@ESETresearch) November 25, 2022
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, RansomBoggs ransomware)
The post RansomBoggs Ransomware hit several Ukrainian entities, experts attribute it to Russia appeared first on Security Affairs.
Leer másSecurity Affairs
Views: 0