ESET specialists informed CERT-UA about RansomBoggs attacks, which were first detected on November 21, 2022.
ESET, a leader in information security, warns of a new wave of RansomBoggs ransomware targeting organizations in Ukraine. The malware is distributed via Active Directory Group Policy, which requires attackers to gain domain administrator privileges.
Although the malware is new, its deployment is similar to previous attacks by cybercriminal group Sandworm, which has previously targeted Ukrainian users.
ESET specialists informed CERT-UA about RansomBoggs attacks, which were first detected on November 21, 2022. Depending on the version, ESET products detect the RansomBoggs malware as MSIL/Filecoder.Sullivan.A and MSIL/Filecoder.RansomBoggs.A.
RansomBoggs Ransomware Brief Overview
Cybercriminals often refer to Pixar’s 2001 movie Monsters Inc. In the ransom note (SullivanDecryptsYourFiles.txt), the attackers claim to be James Sullivan, the main character of the film, whose job it is to scare children. Also, the executable is named “Sullivan.
This time, the ransomware, written on the .NET platform, bears similarities to previous attacks by the Sandworm group. Specifically, the PowerShell script used to distribute the ransomware from a domain controller is nearly identical to the one discovered in April during the Industroyer2 attacks on the energy sector.
This PowerShell script, which CERT-UA named POWERGAP, was used to deploy the CaddyWiper malware to destroy information using ArguePatch.
The RansomBoggs malware generates a random key and encrypts files using AES-256 in CBC mode (not AES-128 as stated in the ransom note) and adds a .chsch extension. The key is then encrypted using RSA and written to aes.bin.
Depending on the version of the malware, the RSA public key may be encoded in the threat pattern or provided as an argument.
Ukraine is constantly under the threat of cyber attacks
Sandworm was last in the spotlight a few weeks ago. Microsoft then discovered the Prestige ransomware, which was used by the group in early October to attack several logistics companies in Ukraine and Poland.
These attacks are one of the many threats that Ukrainian organizations have had to face this year alone. For example, on February 23, 2022, a few hours before the Russian invasion of Ukraine, ESET telemetry detected HermeticWiper in the networks of several Ukrainian organizations. The next day, a second devastating attack on the Ukrainian government network began, this time with the help of IsaacWiper.
Indeed, since at least 2014, Ukraine has experienced a series of devastating cyberattacks by the Sandworm cybercriminal group, including BlackEnergy, GreyEnergy, and the first version of Industroyer. Criminals are also responsible for the NotPetya threat, which infiltrated the corporate networks of many companies in Ukraine in 2017 and then spread around the world and wreaked havoc on many organizations.
In connection with the danger of further attacks on Ukrainian users, ESET experts recommend observing the basic rules of cyber security, in particular, updating the software and operating system in a timely manner, as well as using the current version of the protection solution.
ESET researchers continue to monitor the situation in cyberspace in order to protect organizations and respond to cyber security incidents in a timely manner. In case of detection of malicious activity in their own IT systems, Ukrainian users of ESET products can contact the 24-hour technical support service by phone +380 44 545 77 26 or by e-mail at support@eset.ua.
About the company:
ESET is an expert in the field of protection against cybercrime and digital threats, an international developer of IT security solutions, a leading supplier in the field of creating threat detection technologies. Founded in 1992, ESET today has an extensive partner network and representative offices in more than 180 countries around the world. The company’s head office is located in Bratislava, Slovakia.