March 1, 2024

Benjamin Better

Better Get Computer

Hackers attacking Ukraine

Ukraine says Russian hacktivists use new Somnia ransomware

Hackers attacking Ukraine

Russian hacktivists have infected several businesses in Ukraine with a new ransomware pressure termed ‘Somnia,’ encrypting their programs and causing operational challenges.

The Laptop or computer Emergency Reaction Crew of Ukraine (CERT-UA) has verified the outbreak by means of an announcement on its portal, attributing the attacks to ‘From Russia with Love’ (FRwL), also acknowledged as ‘Z-Workforce,’ whom they track as UAC-0118.

The team beforehand disclosed building the Somnia ransomware on Telegram and even posted proof of attacks towards tank producers in Ukraine.

FRwL posting about Somnia ransomware on Telegram
FRwL submitting about Somnia on Telegram

However, until finally right now, Ukraine has not confirmed any successful encryption assaults by the hacking team.

FRwL attack particulars

According to CERT-UA, the hacking group utilizes bogus websites that mimic the ‘Advanced IP Scanner’ software package to trick Ukrainian corporation staff members into downloading an installer.

The fake website used for dropping Vidar Stealer
The pretend web page used for dropping Vidar Stealer (CERT-UA)

In actuality, the installer infects the process with the Vidar stealer, which steals the victim’s Telegram session information to consider command of their account.

Following, CERT-UA suggests that the threat actors abused the victim’s Telegram account in some unspecified fashion to steal VPN link facts (authentication and certificates).

If the VPN account is just not secured by two-element authentication, the hackers use it to acquire unauthorized accessibility to the victim’s employer’s company network.

Future, the burglars deploy a Cobalt Strike beacon, exfiltrate data, and use Netscan, Rclone, Anydesk, and Ngrok, to carry out numerous surveillance and remote access routines.

CERT-UA stories that since the spring of 2022, with the help of initial entry brokers, FRwL has carried out several attacks on computers belonging to Ukrainian companies.

The company also notes that the most up-to-date samples of the Somnia ransomware pressure employed in these assaults depend on the AES algorithm, whilst Somnia originally used the symmetric 3DES.

The file varieties (extensions) specific by Somnia ransomware are shown down below, together with paperwork, images, databases, archives, movie documents, and much more, reflecting the destruction this pressure aims to cause.

File types encrypted by the Somnia ransomware
File types encrypted by the Somnia ransomware (CERT-UA)

The ransomware will append the .somnia extension to the encrypted file’s names when encrypting documents.

Somnia does not request the victims to shell out a ransom in trade for a performing decryptor, as its operators are more intrigued in disrupting the target’s functions than building profits.

Therefore, this malware should really be regarded a info wiper relatively than a classic ransomware assault.