Russian Hacktivists Create New Somnia Ransomware

Category: Ransomware News | Industry: Manufacturing | Level: Tactical | Source: BleepingComputer

The newly created Somnia ransomware by Russian Hacktivists is targeting organizations in Ukraine however, the actors are not demanding ransom as they are only interested in disrupting businesses. The discovery is shared in an advisory made by the Computer Emergency Response Team of Ukraine (CERT-UA), who treat the malware as a data wiper as no decryptor is available/offered by the ransomware operators. The cybercriminals behind the malware are tracked as 'From Russia with Love' (FRwL) also known as 'UAC-0118' and 'Z-Team.' Like many hacktivists groups, they operate a Telegram channel to share details of the group's activities. Posts made by FRwL have included information on the progress of the Somnia ransomware encryptor and evidence of an attack against a Ukrainian tank manufacturer. To gain access into a targeted environment, FRwL operators use compromised credentials or mimic legitimate software such as "Advanced IP Scanner" to drop a malicious file onto an unsuspected user's host. During the post-compromise stage, FRwL operators have used AnyDesk, Cobalt Strike, Ngrok, Netscan, and Rclone. At this moment, CERT-UA has not observed any successful encryptions from Somnia ransomware, although CERT-UA still advises vigilance against FRwL operators. As even prior to the creation of the group’s ransomware, they have been actively targeting Ukrainian organizations with the aid of Initial Access Brokers throughout 2022.

Anvilogic Use Cases:

• AnyDesk Execution from Suspicious Folder
• AnyDesk Command Line Execution
• Ngrok Download Files

‍