Ukraine says Russian hacktivists use new Somnia ransomware

Russian hacktivists have contaminated many businesses in Ukraine with a new ransomware pressure identified as ‘Somnia,’ encrypting their devices and resulting in operational challenges.

The Computer system Unexpected emergency Response Team of Ukraine (CERT-UA) has confirmed the outbreak by way of an announcement on its portal, attributing the attacks to ‘From Russia with Love’ (FRwL), also regarded as ‘Z-Workforce,’ whom they observe as UAC-0118.

The team formerly disclosed producing the Somnia ransomware on Telegram and even posted evidence of assaults against tank producers in Ukraine.

Nevertheless, till now, Ukraine has not confirmed any productive encryption assaults by the hacking team.

FRwL attack specifics

In accordance to CERT-UA, the hacking team employs faux web pages that mimic the ‘Advanced IP Scanner’ software program to trick Ukrainian group personnel into downloading an installer.

In actuality, the installer infects the method with the Vidar stealer, which steals the victim’s Telegram session data to consider control of their account.

Subsequent, CERT-UA says that the threat actors abused the victim’s Telegram account in some unspecified way to steal VPN relationship facts (authentication and certificates).

If the VPN account is not protected by two-element authentication, the hackers use it to attain unauthorized obtain to the victim’s employer’s corporate community.

Upcoming, the burglars deploy a Cobalt Strike beacon, exfiltrate data, and use Netscan, Rclone, Anydesk, and Ngrok, to conduct different surveillance and distant accessibility pursuits.

CERT-UA stories that due to the fact the spring of 2022, with the support of preliminary obtain brokers, FRwL has carried out numerous assaults on computer systems belonging to Ukrainian companies.

The agency also notes that the most recent samples of the Somnia ransomware pressure utilised in these attacks rely on the AES algorithm, whereas Somnia initially used the symmetric 3DES.

The file varieties (extensions) specific by Somnia ransomware are demonstrated under, like paperwork, images, databases, archives, online video documents, and additional, reflecting the destruction this pressure aims to trigger.

The ransomware will append the .somnia extension to the encrypted file’s names when encrypting information.

Somnia does not request the victims to fork out a ransom in trade for a doing the job decryptor, as its operators are extra intrigued in disrupting the target’s operations than generating profits.

Therefore, this malware should really be thought of a knowledge wiper somewhat than a standard ransomware attack.