Russian-based ransomware RansomBoggs was detected being utilized to target and attack organizations in Ukraine. During their regular threat-hunting exercise, the ESET research team discovered the ransomware, noting a similar pattern as used by the Sandworm APT group.
According to the researchers, ransomware is pretty new, even though it resembles the same patterns as some attacks by known threat actors. The security company, along with Ukraine’s Computer Emergency Response Team (CERT-UA), began mitigation on November 21st to tackle RansomBoggs ransomware.
On November 21st #ESETResearch detected and alerted @_CERT_UA of a wave of ransomware we named #RansomBoggs, deployed in multiple organizations in Ukraine🇺🇦. While the malware written in .NET is new, its deployment is similar to previous attacks attributed to #Sandworm. 1/9 pic.twitter.com/WyxzCZSz84
— ESET Research (@ESETresearch) November 25, 2022
RansomBoggs Ransomware targets Ukraine energy companies
Sandworm, better known by its aliases BlackEnergy and TeleBots, is a well-known threat actor prevailing since early 2000. It operated under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). The same group has also been credited as the author of another ransomware NotPetya, which has already infiltrated hundreds of companies in 2017, causing damages up to billions of dollars.
In Q2, Sandworm used a new strain of the ICS malware (INDUSTROYER2) and a new version of the CaddyWiper wiper to attack energy plants in Ukraine. Moreover, the new campaigns are also targeted toward Ukrainian energy infrastructure.
Since August 2022, Recorded Future researchers have tracked down the activities of the threat group and found that it has been impersonating the telecommunication providers” to target authorities in Ukraine using the RansomBoggs malware.
There are similarities with previous attacks conducted by #Sandworm: a PowerShell script used to distribute the .NET ransomware from the domain controller is almost identical to the one seen last April during the #Industroyer2 attacks against the energy sector. 4/9 pic.twitter.com/fdh6A2FCXk
— ESET Research (@ESETresearch) November 25, 2022
RansomBoggs ransomware technical analysis
The researchers did a technical analysis of the ransomware and found that the ransomware made several references to the Pixar movie Monsters, Inc and had a text note named SullivanDecryptsYourFiles.txt that showed that the authors were using the movie characters like James P. Sullivan as their avatars.
The threat actors also used an executable file, Sullivan.<version?>.exe, which is also based on the same character. As for its attack type, the threat actors were using a PowerShell script to inject the malware into the victim’s systems, which, according to the researchers, is the same practice used in the Industroyer2 attacks on the Ukraine energy sector in April 2022.