RansomBoggs: New ransomware targeting Ukraine | Frost Tech

ESET’s analysis staff has detected a brand new wave of ransomware assaults focusing on a number of organizations in Ukraine and bearing the hallmarks of different campaigns beforehand unleashed by the Sandworm APT group.

Though the ransomware, named RansomBoggs by ESET and written on the .NET framework, is new, the way in which wherein it’s deployed particularly intently resembles some earlier assaults attributed to the infamous menace actor.

ESET has alerted the Pc Emergency Response Group of Ukraine (CERT-UA) in regards to the RansomBoggs assaults, which had been first detected on November 21.^st. Relying on the variant, ESET merchandise detect RansomBoggs as MSIL/Filecoder.Sullivan.A and MSIL/Filecoder.RansomBoggs.A.

RansomBoggs at a look

Within the ransom observe seen above (SullivanDecryptsYourFiles.txt), the RansomBoggs authors make a number of references to the film Monsters Inc., even posing as James P. Sullivan, the principle protagonist of the film.

As soon as launched, the brand new ransomware “generates a random key and encrypts recordsdata utilizing AES-256 in CBC mode,” not the 128-bit AES key size talked about within the ransom observe. Then it provides the .chsch extension to the encrypted recordsdata.

“The secret is then encrypted with RSA and written to aes.bin,” the ESET researchers mentioned. Relying on the variant, the RSA public secret’s both hardcoded into the malware pattern or supplied as an argument.

There are similarities to earlier assaults carried out by #sandworm: A PowerShell script used to distribute .NET ransomware from the area controller is sort of equivalent to the one seen final April through the #industryyer2 assaults towards the power sector. 4/9 pic.twitter.com/fdh6A2FCXk

— ESET Analysis (@ESETresearch) November 25, 2022

When it comes to similarities to different Sandworm assaults, the PowerShell script used to distribute RansomBoggs from the area controller is sort of equivalent to the one used within the Industroyer2 assaults towards the Ukrainian power sector in April of this 12 months. The identical script was used to ship data-wiping malware known as CaddyWiper that exploited the ArguePatch loader and affected a number of dozen techniques in a restricted variety of organizations in Ukraine in March.

Ukraine beneath fireplace

Sandworm has an extended historical past of being behind among the world’s most disruptive cyberattacks of the final decade. He final appeared within the highlight just some weeks in the past after Microsoft singled him out for the so-called “Status” ransomware that hit a number of logistics firms in Ukraine and Poland in early October.

The aforementioned assaults not at all give a whole image of the varied threats that high-profile Ukrainian organizations have needed to face this 12 months alone. For instance, on February 23^rd, simply hours earlier than Russia invaded Ukraine, ESET telemetry detected HermeticWiper within the networks of a number of Ukrainian organizations. The subsequent day, a second damaging assault towards a Ukrainian authorities community started, this time delivering IsaacWiper.

In actual fact, Ukraine has been on the receiving finish of a collection of extremely disruptive cyberattacks by Sandworm since no less than 2014, together with BlackEnergy, GreyEnergy, and the primary iteration of Industroyer. The group was additionally behind the NotPetya assault that swept by means of many company networks in Ukraine in June 2017 earlier than spreading like wildfire globally and wreaking havoc on many organizations world wide.