Russian hackers attack with the Somnia Ransomware

In the latest wave of attacks by Russian hackers, several organizations in Ukraine were infected with a new type of ransomware called Somnia. New ransomware encrypts systems in an attempt to crash them. Unlike other types of ransomware, Somnia does not include a ransom note.

Specialists from the Computer Emergency Response Team of Ukraine (CERT-UA) confirmed the fact of the attack by the From Russia with Love (FRwL) hacker group in an official statement confirming the malicious campaign.

This is reported by SOFTICO, the official distributor of Bitdefender in Ukraine, which offers free assistance.

The said cybercriminal group, also known as Z-Team and tracked as UAC-0118, claimed previous attacks on Ukrainian tank manufacturers and identified themselves as the developers of the Somnia program in a Telegram group.

An investigation conducted by CERT-UA showed that the attack began with the victim downloading and running a file posing as software called “Advanced IP Scanner”, which actually contained the Vidar infostealer. This malware steals Telegram session data, which, in the absence of two-factor authentication and a passcode, allows attackers to gain access to the victim’s account.

As it was established, the Telegram account was needed by hackers to steal VPN connection data (including certificates and authentication data). Having gained remote access to the organization’s computer network using a VPN, the attackers conducted reconnaissance (using Netscan), launched a Cobalt Strike beacon and stole valuable data using Rclone. In addition, there are signs of the launch of Anydesk and Ngrok.

Specialists noted that Somnia has been modified. If the symmetric 3DES algorithm was used in the first version of the program, then the AES algorithm is implemented in the second version. And given the dynamism of the key and the initialization vector, CERT-UA assumes that this version of the malware does not provide data decryption.