An infamous Russian state-backed APT group could be driving a new wave of ransomware attacks in opposition to Ukrainian targets, according to scientists at ESET.
The security seller claimed in a collection of tweets that it alerted the Ukrainian Pc Unexpected emergency Response Group (CERT-UA) about the RansomBoggs variant it found focusing on a number of neighborhood businesses.
The .NET malware is new, but deployed in a related fashion to earlier campaigns joined to the Russian navy intelligence (GRU) Sandworm group, it claimed.
There are seemingly quite a few references to Pixar movie Monsters Inc. in the malware.
“The ransom observe (SullivanDecryptsYourFiles.txt) shows the authors impersonate James P. Sullivan, the major character of the movie, whose job is to scare young children. The executable file is also named Sullivan.exe and references are present in the code as nicely,” ESET spelled out.
“There are similarities with former attacks executed by Sandworm: a PowerShell script made use of to distribute the .NET ransomware from the domain controller is nearly identical to the a person observed past April during the Industroyer2 attacks against the power sector.”
That script has been dubbed “PowerGap” by CERT-UA and was also made use of to deploy the destructive CaddyWiper malware together with Industroyer 2 at the time, employing the ArguePatch loader.
“RansomBoggs generates a random essential and encrypts documents making use of AES-256 in CBC method (not AES-128 like stated in the ransom notice), and appends the .chsch file extension. The vital is then RSA encrypted and written to aes.bin,” ESET continued.
“Depending on the malware variant, the RSA general public important can both be hardcoded in the malware sample itself or offered as argument.”
The seller also claimed the procedure has similarities to a separate ransomware marketing campaign released last month against Ukrainian and Polish logistics companies utilizing the “Prestige” variant.
“The Status marketing campaign may perhaps spotlight a calculated shift in IRIDIUM’s damaging attack calculus, signaling elevated risk to corporations straight giving or transporting humanitarian or military services help to Ukraine,” Microsoft wrote at the time.
“More broadly, it might stand for an elevated risk to businesses in Japanese Europe that might be regarded by the Russian condition to be offering assist relating to the war.”
Some sections of this short article are sourced from: