Iridium/Sandworm APT – New Sandworm ransomware strain named RansomBoggs

Updated on 2022-12-06

Microsoft warned against Russian cyberattacks targeting NATO allies and Ukrainian infrastructure throughout the winter, especially by the Sandworm APT gang. Read more: Microsoft warns of Russian cyberattacks throughout the winter

Russia has intensified its hybrid war against Ukraine – targeting civilians. Here’s what we anticipate Russia’s cyber and influence operations might look and how Microsoft will help prepare for and prevent harm to customers and democracies facing attacks. https://t.co/gfJ2wRRtzM

— Brad Smith (@BradSmi) December 3, 2022

Updated on 2022-11-30: Sandworm Threat Actors are Launching Ransomware Attacks Against Organizations in Ukraine

Researchers from ESET say that the threat actor group known as Sandworm is launching ransomware attacks against organizations in Ukraine. They appear to be using ransomware ESET is calling RansomBoggs, which is written in .NET. ESET has notified Ukraine’s Computer Emergency Response Team (CERT-UA) of their findings.

Note

• The RansomBoggs ransomware is Monsters Inc. (Disney, 2001) themed, and while announcing it’s using AES 128 encryption, actually encrypts files with AES 256 and appends the .chsch extension to those files. The key is stored in a file called aes.bin with the public key either passed as an argument to the ransomware or it’s hard coded. The ransomware is distributed via a PowerShell script, and written in .NET. The primary purpose of this attack appears to be disruption versus extorting money, even so, make sure your users are trained to be cautious with unknown attachments/scripts which come bearing gifts. Check with your EDR provider for detection capabilities.
• For more on the Sandworm threat actor, I highly recommend Andy Greenberg’s book, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers.

Read more in

• RansomBoggs: New ransomware targeting Ukraine
• Sandworm gang launches Monster ransomware attacks on Ukraine
• Sandworm hacking group linked to new ransomware deployed in Ukraine

Updated on 2022-11-29

ESET has a short blog post on RansomBoggs, a new ransomware strain deployed last week in Ukraine and which the company linked to Sandworm, a cyber-espionage group linked to the Russian military intelligence services. ESET spotted and warned about this new ransomware last Friday. Read more: RansomBoggs: New ransomware targeting Ukraine

Updated on 2022-11-28

ESET researchers connected the Russian Sandworm APT group to a new ransomware, dubbed RansomBoggs, that has been targeting Ukrainian entities. Read more: New ransomware attacks in Ukraine linked to Russian Sandworm hackers

Updated on 2022-11-27: New Sandworm ransomware

ESET has discovered a new ransomware strain named RansomBoggs that was deployed against Ukrainian organizations last week. ESET said it linked the ransomware to a threat actor known as Sandworm, one of Russia’s military cyber units. Researchers said they found links between RansomBoggs and previous Sandworm malware deployed against Ukrainian targets, such as ArguePatch, CaddyWiper, and Industroyer2. Early signs suggest this may be another data wiper disguised as ransomware.

Updated on 2022-11-13: Russia behind Ukraine, Poland ransomware attacks

Microsoft said this week that ransomware attacks targeting transportation and logistics companies in Ukraine and neighboring Poland back in October were launched by Russian military hackers, with the aim of causing disruption of the flow of goods and materiel into Ukraine. Microsoft dubbed the attack Prestige, and its threat intelligence unit says “Iridium,” aka Sandworm, or Russia’s GRU Unit 74455, which is known for its offensive and destructive cyberattacks. Read more: New “Prestige” ransomware impacts organizations in Ukraine and Poland

Updated on 2022-11-11: Iridium/Sandworm

Also at the CyberWarCom conference on Thursday, Microsoft said it linked the attacks with the Prestige ransomware against organizations in Ukraine and Poland to a Russian state-sponsored group it tracks as Iridium, also known as Sandworm. At the same conference, Microsoft researchers also presented research about other threat actor groups like BROMINE (aka Berserk Bear) (on their abuse of data center infrastructure management interfaces), ZINC (on their use of social engineering campaigns built around weaponized legitimate open-source software), and several Chinese state actors (on their use of SOHO routers to obfuscate operations). Read more:

• New “Prestige” ransomware impacts organizations in Ukraine and Poland
• Microsoft threat intelligence presented at CyberWarCon 2022

Today the Microsoft Threat Intelligence Center (MSTIC) has attributed to a Russian nation-state actor recent attacks against logistics companies in Ukraine and Poland https://t.co/8u56vV3V6E

— Tom Burt (@TomBurt45) November 10, 2022

Overview

Microsoft attributed Prestige ransomware attacks to a Russian state-sponsored threat actor Iridium, who shares overlaps with the Sandworm APT group. Read more: Microsoft Blames Russian Hackers for Prestige Ransomware Attacks on Ukraine and Poland