RansomBoggs Ransomware hit several Ukrainian entities, experts attribute it to Russia

Several Ukrainian organizations were hit by Russia-based RansomBoggs Ransomware in the last week, ESET reports.

Researchers from ESET observed multiple attacks involving a new family of ransomware, tracked as RansomBoggs ransomware, against Ukrainian organizations.

The security firm first detected the attacks on November 21 and immediately alerted the CERT US. The ransomware is written in .NET and experts noticed that deployment is similar to previous attacks attributed to the Russia-linked Sandworm APT group.

Sandworm (aka BlackEnergy and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).

The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017, causing billions worth of damage.

In April, Sandworm targeted energy facilities in Ukraine with a new strain of the Industroyer ICS malware (INDUSTROYER2) and a new version of the CaddyWiper wiper.

The APT hacking group is believed to have been behind numerous attacks this year, including an attack on Ukrainian energy infrastructure and the deployment of a persistent botnet called “Cyclops Blink” dismantled by the US government in April.

From August 2022, Recorded Future researchers observed a rise in command and control (C2) infrastructure used by Sandworm (tracked by Ukraine’s CERT-UA as UAC-0113).

In September 2022, Sandworm has been observed impersonating telecommunication providers to target Ukrainian entities with malware.

The analysis of the RansomBoggs Ransomware code revealed that the authors make multiple references to the Pixar movie Monsters, Inc. The ransom note, SullivanDecryptsYourFiles.txt, shows the authors impersonating the main character of the movie James P. Sullivan and the executable file is also named Sullivan.<version?>.exe .

Threat actors used a PowerShell script to spread the ransomware, the experts noticed that it is almost identical to the script detected in April during the Industroyer2 attacks against the energy sector

The PowerShell script was tracked by CERT UA as POWERGAP and was used to deploy the CaddyWiper wiper in April attacks against Ukrainian entities.

RansomBoggs encrypts files using AES-256 in CBC mode and appends the .chsch extension to the encrypted files. The key is then RSA encrypted and written to aes.bin.

In some of the variants analyzed by ESET, the RSA public key was hardcoded, while in other samples it was provided as an argument.

In October, Microsoft reported a similar campaign targeting entities in Ukraine and Poland with ransomware called Prestige and attributed the attacks to Sandworm.

ESET also shared Indicators of Compromise (IoCs) for RansomBoggs ransomware.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, RansomBoggs ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]