Hacking

CERT-UA warns of multiple Somnia ransomware attacks against organizations in Ukraine

Russian threat actors employed a new ransomware family called Somnia in attacks against multiple organizations in Ukraine.

The Government Computer Emergency Response Team of Ukraine CERT-UA is investigating multiple attacks against organizations in Ukraine that involved a new piece of ransomware called Somnia.

Government experts attribute the attacks to the group ‘From Russia with Love’ (FRwL) (aka Z-Team, UAC-0118), which is believed to be a group of Pro-Russia hacktivists.

“FRwL (aka Z-Team), whose activity is monitored by CERT-UA under the identifier UAC-0118, took responsibility for the unauthorized intervention in the operation of automated systems and electronic computing machines of the target of the attack.” reads the advisory published by CERT-UA.

“The investigation found that the initial compromise occurred as a result of downloading and running a file that mimicked the “Advanced IP Scanner” software, but actually contained the Vidar malware.”

According to the alert, the Ukrainian organization was initially breached by a relevant access broker that then transferred the compromised data to the FRwL group that used it to carry out a cyber attack.

The “Advanced IP Scanner” software used as bait actually contained the Vidar malware, which is a data-stealing malware that is also able to capture Telegram session data and take over the victim’s account. 

Somnia malwareSomnia malware

Then the threat actors abused the victim’s Telegram account to steal VPN configuration data (authentication and certificates). If the VPN accounts aren’t protected with two-factor authentication, threat actors can use a VPN connection to gain an unauthorized connection to the corporate network. 

Once obtained access to the target network, the attackers conducted reconnaissance using tools like Netscan and deployed Cobalt Strike Beacons before exfiltrate data.

It is important to highlight that the threat actors behind Somnia attacks do not request the ransom payment, their operations aimed that disrupt the target’s networks.

CERT-UA also reported that the Somnia malware is evolving. The first version of the malware used the symmetric 3DES algorithm, while the second one used the AES algorithm. 

“Note that the Somnia malware has also undergone changes. The first version of the program used the symmetric 3DES algorithm. In the second version, the AES algorithm is implemented; at the same time, taking into account the dynamics of the key and the initialization vector, this version of Somnia, according to the attackers’ theoretical plan, does not provide for the possibility of data decryption.” concludes the report.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Somnia)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 46

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

12 hours ago

Security Affairs newsletter Round 525 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly Securitythe weekly Security Affairs newsletterAffairs newsletter arrived! Every week…

13 hours ago

Operation ENDGAME disrupted global ransomware infrastructure

Operation ENDGAME dismantled key ransomware infrastructure, taking down 300 servers, 650 domains, and seizing €21.2M…

16 hours ago

Silent Ransom Group targeting law firms, the FBI warns

FBI warns Silent Ransom Group has targeted U.S. law firms for 2 years using callback…

1 day ago

Leader of Qakbot cybercrime network indicted in U.S. crackdown

The U.S. indicted Russian Rustam Gallyamov for leading the Qakbot botnet, which infected 700K+ devices…

2 days ago

Operation RapTor led to the arrest of 270 dark web vendors and buyers

Law enforcement operation codenamed 'Operation RapTor' led to the arrest of 270 dark web vendors…

3 days ago