Russian Sandworm Hackers Linked to New Ransomware Blitz

Written by

An infamous Russian state-backed APT group could be behind a new wave of ransomware attacks against Ukrainian targets, according to researchers at ESET.

The security vendor claimed in a series of tweets that it alerted the Ukrainian Computer Emergency Response Team (CERT-UA) about the RansomBoggs variant it discovered targeting several local organizations.

The .NET malware is new, but deployed in a similar manner to previous campaigns linked to the Russian military intelligence (GRU) Sandworm group, it said.

There are apparently several references to Pixar movie Monsters Inc. in the malware.

“The ransom note (SullivanDecryptsYourFiles.txt) shows the authors impersonate James P. Sullivan, the main character of the movie, whose job is to scare kids. The executable file is also named Sullivan.exe and references are present in the code as well,” ESET explained.

“There are similarities with previous attacks conducted by Sandworm: a PowerShell script used to distribute the .NET ransomware from the domain controller is almost identical to the one seen last April during the Industroyer2 attacks against the energy sector.”

That script has been dubbed “PowerGap” by CERT-UA and was also used to deploy the destructive CaddyWiper malware alongside Industroyer 2 at the time, using the ArguePatch loader.

“RansomBoggs generates a random key and encrypts files using AES-256 in CBC mode (not AES-128 like mentioned in the ransom note), and appends the .chsch file extension. The key is then RSA encrypted and written to aes.bin,” ESET continued.

“Depending on the malware variant, the RSA public key can either be hardcoded in the malware sample itself or provided as argument.”

The vendor also claimed the operation has similarities to a separate ransomware campaign launched last month against Ukrainian and Polish logistics providers using the “Prestige” variant.

“The Prestige campaign may highlight a measured shift in IRIDIUM’s destructive attack calculus, signaling increased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukraine,” Microsoft wrote at the time.

“More broadly, it may represent an increased risk to organizations in Eastern Europe that may be considered by the Russian state to be providing support relating to the war.”

What’s hot on Infosecurity Magazine?