HQ/EMEAFind out how we can help your business
A new ransomware strain attributed to the Russian-based Sandworm APT group, ‘RansomBoggs’, has targeted numerous Ukrainian organisations since its first detection last November 21. These attacks against Ukraine were identified to be similar to the previous campaigns launched by Russia’s Sandworm APT.
According to a report by a cybersecurity researcher, the new malware strain was written in [.]NET and had an attack structure parallel to Sandworm. In October 2022, a Sandworm APT actor was spotted launching attacks against logistics and transportation firms in Poland and Ukraine using another ransomware strain called ‘Prestige’.
On the other hand, experts said that the RansomBoggs ransomware employs a PowerShell script in its attacks, which helps distribute it to the targeted networks. The researchers also noticed that this recent malicious campaign is almost identical to the ‘Industroyer2’ malware attacks that transpired last April.
CERT-UA explained that the RansomBoggs ransomware used the PowerShell script to deploy a data wiper malware.
Ukraine’s CERT said in a publication that a data wiper called ‘CaddyWiper’ is deployed by the PowerShell script used by RansomBoggs ransomware in its attacks, which wipes out the victimised network’s targeted files.
Moreover, the PowerShell script, dubbed POWERGAP, released the CaddyWiper data wiper through a separate loaded called ‘ArguePatch/AprilAxe.’
An analysis by a security researcher shows that the RansomBoggs ransomware can generate random keys and encrypt files with AES-256 in CBC mode. The new ransomware strain also appends the [.]chsch file extension to all victims’ encrypted files.
Since the Russian-based Sandworm APT group is considered an elite hacking organisation backed by Russia’s GRU military intel agency, security experts fear that the new ransomware strain linked with them could endanger more victims besides Ukrainian firms.
Thus, the alleged targets and victims must be wary and prepared for further attacks by strengthening their cybersecurity and never engaging in suspicious communication attempts by potential threat actors.
