Ukraine has come below a contemporary onslaught of ransomware assaults that mirror earlier intrusions attributed to the Russia-based Sandworm nation-state group.
Slovak cybersecurity firm ESET, which dubbed the brand new ransomware pressure RansomBoggs, mentioned the assaults in opposition to a number of Ukrainian entities had been first detected on November 21, 2022.
“Whereas the malware written in .NET is new, its deployment is much like earlier assaults attributed to Sandworm,” the corporate mentioned in a collection of tweets Friday.
The event comes because the Sandworm actor, tracked by Microsoft as Iridium, was implicated for a set of assaults geared toward transportation and logistics sectors in Ukraine and Poland with one other ransomware pressure known as Status in October 2022.
The RansomBoggs exercise is claimed to make use of a PowerShell script to distribute the ransomware, with the latter “nearly similar” to the one used within the Industroyer2 malware assaults that got here to gentle in April.
Based on the Pc Emergency Response Workforce of Ukraine (CERT-UA), the PowerShell script, named POWERGAP, was leveraged to deploy a knowledge wiper malware known as CaddyWiper utilizing a loader dubbed ArguePatch (aka AprilAxe).
ESET’s evaluation of the brand new ransomware reveals that it generates a randomly generated key and encrypts recordsdata utilizing AES-256 in CBC mode and appends the “.chsch” file extension.
Sandworm, an elite adversarial hacking group inside Russia’s GRU army intelligence company, has a infamous observe document of putting important infrastructure over time.
The menace actor has been linked to the NotPetya cyberattacks in opposition to hospitals and medical amenities in 2017 and the damaging assaults in opposition to the Ukrainian electrical energy grid in 2015 and 2016.
