A new strain of ransomware linked to the Russian-affiliated threat group Sandworm is targeting Ukrainian entities. Cybersecurity company ESET dubbed the new ransomware strain RansomBoggs. According to ESET, attacks against several Ukrainian organizations were detected on November 21, 2022. They posted the news on Twitter, claiming that the malware deployment was comparable to other Sandworm attacks. “While the malware written in .NET is new, its deployment is similar to previous attacks attributed to Sandworm,” stated ESET.
Cybercriminals made references to the popular 2001 animated movie Monsters Inc. and started the ransomware note with “Dear human life forms! This is James P. Sullivan, an employee of Monsters Inc. Recently our company has experienced great financial problems, and we require some cash to move on…” The ransom note is a typical notification about illegal data encryption and includes contact details to start negotiations. “I am extremely sorry for the inconvenience, but I am currently encrypting your documents using AES-128. This key is encrypted using RSA public key. Please, DO NOT WORRY! I have a decrypting functionality too,” reads the note.
According to ESET, the most recent cyberattacks have common indicators with attacks launched by Sandworm previously, including the use of PowerShell to distribute ransomware that is “almost identical to the one seen last April during the Industroyer2 attacks against the energy sector.” PowerShell, also known as PowerGap by Ukrainian cyber authorities, was used to introduce the CaddyWiper malware against Ukrainian infrastructure in April 2022, shortly after the Russian invasion.