Cyber Security

New ransomware attacks in Ukraine linked to Russian Sandworm hackers

New ransomware attacks targeting organizations in Ukraine first detected this Monday have been linked to the notorious Russian military threat group Sandworm.

Slovak software company ESET who first spotted this wave of attacks, says the ransomware they named RansomBoggs has been found on the networks of multiple Ukrainian organizations.

“While the malware written in .NET is new, its deployment is similar to previous attacks attributed to Sandworm,” ESET’s Research Labs said.

“There are similarities with previous attacks conducted by Sandworm: a PowerShell script used to distribute the .NET ransomware from the domain controller is almost identical to the one seen last April during the Industroyer2 attacks against the energy sector.”

The PowerShell script used to deploy RansomBoggs payloads on the victims’ networks is known as POWERGAP and was also behind the delivery of CaddyWiper destructive malware in attacks against Ukrainian orgs in March.

Once pushed across a victim’s network, RansomBoggs encrypts files using AES-256 in CBC mode using a random key (randomly generated, RSA encrypted, and written to aes.bin), and it appends a .chsch extension to all encrypted files extension.

Depending on the variant used in the attack, the RSA public key can be hardcoded in the malware itself or provided as an argument.

On encrypted systems, the ransomware also drops ransom notes impersonating James P. Sullivan, the main character of the Monsters Inc movie, with further references also found within the malware’s code.

Earlier this month, Microsoft also linked the Sandworm cyber-espionage group (tracked by Redmond as IRIDIUM) to Prestige ransomware attacks targeting transportation and logistics companies in Ukraine and Poland since October.

“The Prestige campaign may highlight a measured shift in IRIDIUM’s destructive attack calculus, signaling increased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukraine,” MSTIC said.

“More broadly, it may represent an increased risk to organizations in Eastern Europe that may be considered by the Russian state to be providing support relating to the war.”

In February, a joint security advisory issued by U.S. and U.K. cybersecurity agencies also pinned the Cyclops Blink botnet on the Russian military threat group before its disruption, preventing its use in the wild.

Sandworm is a group of elite Russian hackers active for at least two decades believed to be part of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).

They have been previously linked to attacks leading to the KillDisk wiper attacks targeting banks in Ukraine and the Ukrainian blackouts of 2015 and 2016 [123].

Sandworm is also believed to have developed the NotPetya ransomware that caused billions of damage starting in June 2017.

Advertisement. Scroll to continue reading.

The U.S. Department of Justice charged six of the group’s operatives in October 2020 with coordinating hacking operations linked to the NotPetya ransomware attack, the PyeongChang 2018 Olympic Winter Games, as well as the 2017 French elections.

Copyright 2021 Associated Press. All rights reserved.

Source: https://www.bleepingcomputer.com/news/security/new-ransomware-attacks-in-ukraine-linked-to-russian-sandworm-hackers/

Click to comment

You May Also Like

Cyber Security

Telegram Messenger offers global, cloud-based instant messaging with several features:- Cybersecurity researchers at Securlist recently found several Telegram mods on Google Play in various...

Cyber Security

AttackCrypt, an open-source “crypter,” was recently used by cybercriminals to hide malware binaries and avoid antivirus detection. A crypter is a kind of software that can...

Cyber Security

We are glad to present the most recent news on cybersecurity in this week’s Threat and Vulnerability Roundup from Cyber Writes.  The latest attack...

Cyber Security

The cybercrime group evaded remediation efforts by installing persistent backdoors and deploying “new and novel malware.” A Chinese-linked hacking group that security researchers say...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version