Ukraine says Russian hacktivists use new Somnia ransomware

Russian hacktivists have contaminated a number of organizations in Ukraine with a brand new ransomware pressure referred to as ‘Somnia,’ encrypting their methods and inflicting operational issues.

The Computer Emergency Response Team of Ukraine (CERT-UA) has confirmed the outbreak through an announcement on its portal, attributing the assaults to ‘From Russia with Love’ (FRwL), often known as ‘Z-Team,’ whom they observe as UAC-0118.

The group beforehand disclosed creating the Somnia ransomware on Telegram and even posted proof of assaults in opposition to tank producers in Ukraine.

However, till as we speak, Ukraine has not confirmed any profitable encryption assaults by the hacking group.

FRwL assault particulars

According to CERT-UA, the hacking group makes use of faux websites that mimic the ‘Advanced IP Scanner’ software program to trick Ukrainian group workers into downloading an installer.

In actuality, the installer infects the system with the Vidar stealer, which steals the sufferer’s Telegram session information to take management of their account.

Next, CERT-UA says that the risk actors abused the sufferer’s Telegram account in some unspecified method to steal VPN connection information (authentication and certificates).

If the VPN account is not protected by two-factor authentication, the hackers use it to achieve unauthorized entry to the sufferer’s employer’s company community.

Next, the intruders deploy a Cobalt Strike beacon, exfiltrate information, and use Netscan, Rclone, Anydesk, and Ngrok, to carry out numerous surveillance and distant entry actions.

CERT-UA experiences that because the spring of 2022, with the assistance of preliminary entry brokers, FRwL has carried out a number of assaults on computer systems belonging to Ukrainian organizations.

The company additionally notes that the newest samples of the Somnia ransomware pressure utilized in these assaults depend on the AES algorithm, whereas Somnia initially used the symmetric 3DES.

The file sorts (extensions) focused by Somnia ransomware are proven beneath, together with paperwork, pictures, databases, archives, video information, and extra, reflecting the destruction this pressure goals to trigger.

The ransomware will append the .somnia extension to the encrypted file’s names when encrypting information.

Somnia doesn’t request the victims to pay a ransom in change for a working decryptor, as its operators are extra excited about disrupting the goal’s operations than producing income.

Therefore, this malware must be thought-about an information wiper relatively than a standard ransomware assault.