Russia-Backed Sandworm Group Using RansomBoggs Ransomware To Prey On Ukrainian Organizations

The PowerShell script used by the RansomBoggs operation to distribute the ransomware is very similar to the one used in the Industroyer2 malware attacks against Ukraine‘s energy industry in April this year.

A novel strain of ransomware known as RansomBoggs is being used by the Russian state-sponsored threat operation Sandworm in a new wave of attacks hitting Ukrainian organizations.

These attacks were first noticed on November 21, 2022, according to the Slovak cybersecurity firm ESET, which said it has informed the Computer Emergency Response Team (CERT-UA) of Ukraine about the ongoing RansomBoggs attacks.

On November 21st #ESETResearch detected and alerted @_CERT_UA of a wave of ransomware we named #RansomBoggs, deployed in multiple organizations in Ukraine🇺🇦. While the malware written in .NET is new, its deployment is similar to previous attacks attributed to #Sandworm. 1/9 pic.twitter.com/WyxzCZSz84

— ESET Research (@ESETresearch) November 25, 2022

While RansomBoggs malware written in .NET is new, its deployment is similar to past attacks that were linked to Sandworm, the researchers claimed.

In the ransom note (SullivanDecryptsYourFiles.txt), RansomBoggs developers make multiple references to the film Monsters Inc., including impersonating James P. Sullivan, the main protagonist of the movie.

The operators address their ransom note to “Dear human life form!” and name themselves as “James P. Sullivan, an employee of Monsters Inc.”

Once activated, the new ransomware creates a random key and uses AES-256 in CBC mode to encrypt data. The encrypted files are subsequently given the .chsch extension.

“The key is then RSA encrypted and written to aes.bin,” the researchers said.

The RSA public key is either hardcoded in the malware sample itself or supplied as an argument, depending on the variant.

The PowerShell script used by the RansomBoggs operation to distribute the ransomware is almost similar to the one used in the Industroyer2 malware attacks against Ukraine‘s energy industry in April this year. The same script was used to deliver the data-wiping CaddyWiper malware in March, which attacked multiple systems in a small number of Ukrainian organizations using the ArguePatch loader.

The Sandworm hacking group (also known as Voodoo Bear, BlackEnergy, and TeleBots) is thought to be part of a Russian military unit responsible for numerous operations against Ukrainian corporations in the energy, media, banking and other sectors.

The group is also blamed by Western prosecutors for the 2017 NotPetya wiper malware, which caused more than $10 billion of harm worldwide by wiping data from whole networks of computers belonging to organizations doing business in Ukraine.

In February, researchers discovered HermeticWiper on the networks of many Ukrainian organizations, just hours before Russia invaded Ukraine. The next day, IsaacWiper was delivered as part of a second devastating attack on a government network in Ukraine.

In April, the US government offered a reward of $10 million for information leading to the arrest of six Russian GRU officers associated with Sandworm. The Russians were accused of plotting to carry out cyber operations against key infrastructure in the United States.

Last month, Microsoft said Sandworm was behind a malware campaign detected by the company. The operation included the use of the Prestige ransomware against the Ukrainian and Polish logistics and transportation sectors.

According to Microsoft, the Prestige campaign suggested that the group may have changed its “destructive attack calculus,” signalling a heightened threat to entities directly delivering or transporting humanitarian or military aid to Ukraine.

“More broadly, it may represent an increased risk to organizations in Eastern Europe that may be considered by the Russian state to be providing support relating to the war,” it added.

This article originally appeared on CRN’s sister site, Computing.