HQ/EMEAFind out how we can help your business
The new ‘Somnia’ ransomware infects numerous Ukrainian organisations that the threat operators used for encrypting systems, subsequently leading to operational disruptions. Ukraine’s CERT-UA has announced the incident, stating that the attacks are attributed to a threat group dubbed ‘From Russia with Love’ (FRwL) or the ‘Z-Team’. The agency also tracked the threat group as UAC-0118.
According to the reports, the Z-Team had previously shared about creating the Somnia ransomware on their Telegram channel and posted some proof of cyberattacks against Ukraine’s tank producers. Nonetheless, there have yet to be any confirmed successful attacks from the threat group, according to Ukraine.
One of the tools impersonated by the Russian group is the ‘Advanced IP Scanner’ software, tricking employees of orgs in Ukraine into downloading an installer into their computers. Once they installed it, the computers would be infected with the Vidar stealer that would steal their Telegram session data and completely hack their accounts.
One hacked Telegram account was abused to steal VPN connection data, including authentication and certificates. If the VPN account is unguarded with an MFA, it will be abused to gain unauthorised access to the corporate network of the targeted employee.
A Cobalt Strike beacon will then be deployed by the hackers, who would then exfiltrate data from the computer. Then, they will use different software such as Anydesk, Netscan, Rclone, and Ngrok for cyberespionage and remote access malicious activities.
Since the beginning of this year, the Z-Team has deployed numerous cyberattacks against Ukrainian organisations, aiming to spread the Somnia ransomware.
CERT-UA said that initial access brokers had aided the Russian threat group in carrying out attacks on their Ukrainian targets. The latest Somnia ransomware strain samples that the threat group used in their campaigns have mostly relied on the AES algorithm, although they had previously used the symmetric 3DES in initial attacks.
Numerous file types and extensions can be encrypted by Somnia ransomware, including docs, images, archives, databases, and videos, among others. For this reason, researchers said this ransomware strain had proven destructive towards its targets.
Somnia also appends its extension [.]somnia on all encrypted files. Interestingly, reports say that the Somnia ransomware operators do not request ransom demands from victims since their main goal is only to disrupt the victims’ operations than generate income from their attacks.
