New ransomware attacks targeting organizations in Ukraine first detected this Monday have been linked to the notorious Russian military threat group Sandworm.
Slovak software company ESET who first spotted this wave of attacks, says the ransomware they named RansomBoggs has been found on the networks of multiple Ukrainian organizations.
“While the malware written in .NET is new, its deployment is similar to previous attacks attributed to Sandworm,” ESET’s Research Labs said.
“There are similarities with previous attacks conducted by Sandworm: a PowerShell script used to distribute the .NET ransomware from the domain controller is almost identical to the one seen last April during the Industroyer2 attacks against the energy sector.”
The PowerShell script used to deploy RansomBoggs payloads on the victims’ networks is known as POWERGAP and was also behind the delivery of CaddyWiper destructive malware in attacks against Ukrainian orgs in March.
Once pushed across a victim’s network, RansomBoggs encrypts files using AES-256 in CBC mode using a random key (randomly generated, RSA encrypted, and written to aes.bin), and it appends a .chsch extension to all encrypted files extension.
Depending on the variant used in the attack, the RSA public key can be hardcoded in the malware itself or provided as an argument.
On encrypted systems, the ransomware also drops ransom notes impersonating James P. Sullivan, the main character of the Monsters Inc movie, with further references also found within the malware’s code.
Earlier this month, Microsoft also linked the Sandworm cyber-espionage group (tracked by Redmond as IRIDIUM) to Prestige ransomware attacks targeting transportation and logistics companies in Ukraine and Poland since October.
“The Prestige campaign may highlight a measured shift in IRIDIUM’s destructive attack calculus, signaling increased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukraine,” MSTIC said.
“More broadly, it may represent an increased risk to organizations in Eastern Europe that may be considered by the Russian state to be providing support relating to the war.”
In February, a joint security advisory issued by U.S. and U.K. cybersecurity agencies also pinned the Cyclops Blink botnet on the Russian military threat group before its disruption, preventing its use in the wild.
Sandworm is a group of elite Russian hackers active for at least two decades believed to be part of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).
They have been previously linked to attacks leading to the KillDisk wiper attacks targeting banks in Ukraine and the Ukrainian blackouts of 2015 and 2016 [1, 2, 3].
Sandworm is also believed to have developed the NotPetya ransomware that caused billions of damage starting in June 2017.
The U.S. Department of Justice charged six of the group’s operatives in October 2020 with coordinating hacking operations linked to the NotPetya ransomware attack, the PyeongChang 2018 Olympic Winter Games, as well as the 2017 French elections.
