Researchers from ESET observed multiple attacks involving a new family of ransomware, tracked as RansomBoggs ransomware, against Ukrainian organizations.
The security firm first detected the attacks on November 21 and immediately alerted the CERT US. The ransomware is written in .NET and experts noticed that deployment is similar to previous attacks attributed to the Russia-linked Sandworm APT group.
The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017, causing billions worth of damage.
The APT hacking group is believed to have been behind numerous attacks this year, including an attack on Ukrainian energy infrastructure and the deployment of a persistent botnet called “Cyclops Blink” dismantled by the US government in April.
From August 2022, Recorded Future researchers observed a rise in command and control (C2) infrastructure used by Sandworm (tracked by Ukraine’s CERT-UA as UAC-0113).
In September 2022, Sandworm has been observed impersonating telecommunication providers to target Ukrainian entities with malware.
The analysis of the RansomBoggs Ransomware code revealed that the authors make multiple references to the Pixar movie Monsters, Inc. The ransom note, SullivanDecryptsYourFiles.txt, shows the authors impersonating the main character of the movie James P. Sullivan and the executable file is also named Sullivan.<version?>.exe .
Threat actors used a PowerShell script to spread the ransomware, the experts noticed that it is almost identical to the script detected in April during the Industroyer2 attacks against the energy sector
RansomBoggs encrypts files using AES-256 in CBC mode and appends the .chsch extension to the encrypted files. The key is then RSA encrypted and written to aes.bin.
In some of the variants analyzed by ESET, the RSA public key was hardcoded, while in other samples it was provided as an argument.
In October, Microsoft reported a similar campaign targeting entities in Ukraine and Poland with ransomware called Prestige and attributed the attacks to Sandworm.
ESET also shared Indicators of Compromise (IoCs) for RansomBoggs ransomware.
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, RansomBoggs ransomware)