group of hackers using computers with large data screens behind them

Russian Hackers Hit Ukrainian Organisations with New Somnia Ransomware

A new ransomware type named “Somnia” has been used by Russian hackers to encrypt the systems of several Ukrainian organisations. The attack activity meant to compromise Ukrainian organisations and permanently encrypt their files was found by the Ukrainian CERT (CERT-UA).

The threat organisation “From Russia with Love” (FRwL), also known as the “Z-Team,” is said to be behind the ransomware attacks, according to CERT-UA. In a Telegram post, the Russian hackers claimed that they are the ones responsible for the Somnia ransomware and even provided evidence of having carried out cyberattacks against Ukrainian tank makers.

FRwL telegram posts about somnia
FRwL telegram posts about Somnia (BleepingComputer)

Somnia Attack Details

In a statement published by CERT-UA, the organisation said that FRwL was tricking Ukrainian company employees into download a software by impersonating the “Advanced IP Scanner” on fake websites.

The Vidar stealer, which harvests the victim’s Telegram session data to take over their account, attacks the machine once the installers were triggered.

fake website from frwl
FRwL Uses a Fake Website (CERT-UA)

According to CERT-UA, the threat actors utilised the victim’s Telegram account unlawfully to collect VPN connection information (authentication and certificates). The hackers exploit the VPN account to get unauthorised access to the victim’s employer’s company network if it isn’t secured by two-factor authentication.

The Russian hackers also deployed a Cobalt Strike beacon, stole data, and executed many remote access and monitoring operations using Netscan, Rclone, Anydesk, and Ngrok.

According to CERT-UA, FRwL has launched many attacks against systems linked to Ukrainian companies since the spring of 2022 with the help of first access brokers. The organisation further warns that while Somnia initially used the symmetric 3DES technique, the most recent samples of the ransomware outbreak used in these threats depended on the AES algorithm.

Somnia also targeted a variety of files, including databases, archives, pictures, and movies. Somnia is a data wiper instead of a typical ransomware attack since the developers of the malware are more interested in destroying the target’s activities than in collecting money. As a result, they do not demand a ransom from the victims in return for a working decryptor. The file extensions that Somnia ransomware targets are listed below, telling of the damage that this outbreak intends to do.

Somnia ransomware file extensions that encrypt data
Somnia ransomware file extensions that encrypt data (CERT-UA)

The ransomware ends file names with the “.somnia” extension when it encrypts them.

According to Microsoft’s Threat Intelligence Center (MSTIC), Ukraine and Poland were also the target of HermeticWiper ransomware attack in February. As Russia increases its cyber activities, Ukraine’s cybersecurity agency is monitoring any possible consequences of these ransomware attacks.

Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.

Recent posts