Skip to Content

Iridium/Sandworm APT – New Sandworm ransomware strain named RansomBoggs

Updated on 2022-12-06

Microsoft warned against Russian cyberattacks targeting NATO allies and Ukrainian infrastructure throughout the winter, especially by the Sandworm APT gang. Read more: Microsoft warns of Russian cyberattacks throughout the winter

Updated on 2022-11-30: Sandworm Threat Actors are Launching Ransomware Attacks Against Organizations in Ukraine

Researchers from ESET say that the threat actor group known as Sandworm is launching ransomware attacks against organizations in Ukraine. They appear to be using ransomware ESET is calling RansomBoggs, which is written in .NET. ESET has notified Ukraine’s Computer Emergency Response Team (CERT-UA) of their findings.


  • The RansomBoggs ransomware is Monsters Inc. (Disney, 2001) themed, and while announcing it’s using AES 128 encryption, actually encrypts files with AES 256 and appends the .chsch extension to those files. The key is stored in a file called aes.bin with the public key either passed as an argument to the ransomware or it’s hard coded. The ransomware is distributed via a PowerShell script, and written in .NET. The primary purpose of this attack appears to be disruption versus extorting money, even so, make sure your users are trained to be cautious with unknown attachments/scripts which come bearing gifts. Check with your EDR provider for detection capabilities.
  • For more on the Sandworm threat actor, I highly recommend Andy Greenberg’s book, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers.


Updated on 2022-11-29

ESET has a short blog post on RansomBoggs, a new ransomware strain deployed last week in Ukraine and which the company linked to Sandworm, a cyber-espionage group linked to the Russian military intelligence services. ESET spotted and warned about this new ransomware last Friday. Read more: RansomBoggs: New ransomware targeting Ukraine

Updated on 2022-11-28

ESET researchers connected the Russian Sandworm APT group to a new ransomware, dubbed RansomBoggs, that has been targeting Ukrainian entities. Read more: New ransomware attacks in Ukraine linked to Russian Sandworm hackers

ESET researchers connected the Russian Sandworm APT group to a new ransomware.

Updated on 2022-11-27: New Sandworm ransomware

ESET has discovered a new ransomware strain named RansomBoggs that was deployed against Ukrainian organizations last week. ESET said it linked the ransomware to a threat actor known as Sandworm, one of Russia’s military cyber units. Researchers said they found links between RansomBoggs and previous Sandworm malware deployed against Ukrainian targets, such as ArguePatch, CaddyWiper, and Industroyer2. Early signs suggest this may be another data wiper disguised as ransomware.

Updated on 2022-11-13: Russia behind Ukraine, Poland ransomware attacks

Microsoft said this week that ransomware attacks targeting transportation and logistics companies in Ukraine and neighboring Poland back in October were launched by Russian military hackers, with the aim of causing disruption of the flow of goods and materiel into Ukraine. Microsoft dubbed the attack Prestige, and its threat intelligence unit says “Iridium,” aka Sandworm, or Russia’s GRU Unit 74455, which is known for its offensive and destructive cyberattacks. Read more: New “Prestige” ransomware impacts organizations in Ukraine and Poland

Updated on 2022-11-11: Iridium/Sandworm

Also at the CyberWarCom conference on Thursday, Microsoft said it linked the attacks with the Prestige ransomware against organizations in Ukraine and Poland to a Russian state-sponsored group it tracks as Iridium, also known as Sandworm. At the same conference, Microsoft researchers also presented research about other threat actor groups like BROMINE (aka Berserk Bear) (on their abuse of data center infrastructure management interfaces), ZINC (on their use of social engineering campaigns built around weaponized legitimate open-source software), and several Chinese state actors (on their use of SOHO routers to obfuscate operations). Read more:


Microsoft attributed Prestige ransomware attacks to a Russian state-sponsored threat actor Iridium, who shares overlaps with the Sandworm APT group. Read more: Microsoft Blames Russian Hackers for Prestige Ransomware Attacks on Ukraine and Poland

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.