ESET researchers spot a new ransomware campaign that goes after Ukrainian organizations and has Sandworm’s fingerprints all over it
The ESET research team has spotted a new wave of ransomware attacks taking aim at multiple organizations in Ukraine and bearing the hallmarks of other campaigns previously unleashed by the Sandworm APT group.
Even though the ransomware – called RansomBoggs by ESET and written in the .NET framework – is new, particularly the way it is deployed bears close resemblance to some past attacks attributed to the notorious threat actor.
ESET has alerted Ukraine’s Computer Emergency Response Team (CERT-UA) about the RansomBoggs onslaughts, which were first detected on November 21st. Depending on the variant, RansomBoggs is detected by ESET products as MSIL/Filecoder.Sullivan.A and MSIL/Filecoder.RansomBoggs.A.
RansomBoggs at a glance
RansomBoggs ransom note
In the ransom note seen above (SullivanDecryptsYourFiles.txt), the authors of RansomBoggs make multiple references to the Monsters Inc. movie, including by impersonating James P. Sullivan, the movie’s main protagonist.
Once unleashed, the new ransomware “generates a random key and encrypts files using AES-256 in CBC mode” – not the AES key length of 128 bits mentioned in the ransom note. It then appends the .chsch extension to the encrypted files.
“The key is then RSA encrypted and written to aes.bin,” said ESET researchers. Depending on the variant, the RSA public key is either hardcoded in the malware sample itself or provided as argument.
There are similarities with previous attacks conducted by #Sandworm: a PowerShell script used to distribute the .NET ransomware from the domain controller is almost identical to the one seen last April during the #Industroyer2 attacks against the energy sector. 4/9 pic.twitter.com/fdh6A2FCXk
— ESET research (@ESETresearch) November 25, 2022
As for similarities with other onslaughts by Sandworm, the PowerShell script used to distribute RansomBoggs from the domain controller is almost identical to the one used in Industroyer2 attacks against Ukraine’s energy sector in April of this year. The same script was used to deliver data-wiping malware called CaddyWiper that leveraged the ArguePatch loader and hit several dozen systems in a limited number of organizations in Ukraine in March.
Ukraine under fire
Sandworm has a long track record of being behind some of the world’s most disruptive cyberattacks of the past near-decade. It last entered the spotlight just weeks ago after it was fingered by Microsoft as being behind ransomware called “Prestige” that hit several logistics companies in Ukraine and Poland in early October.
The aforementioned attacks do by no means give the full picture of the various threats that high-profile Ukrainian organizations have had to weather this year alone. For example, back on February 23rd, just hours before Russia invaded Ukraine, ESET telemetry picked up HermeticWiper on the networks of several Ukrainian organizations. The next day, a second destructive attack against a Ukrainian governmental network started, this time delivering IsaacWiper.
Indeed, Ukraine has been on the receiving end of a number of highly disruptive cyberattacks by Sandworm since at least 2014, including BlackEnergy, GreyEnergy and the first iteration of Industroyer. The group was also behind the NotPetya attack that swept through many corporate networks in Ukraine in June 2017 before spreading like wildfire globally and wreaking havoc in many organizations worldwide.
