From Russia with Love Group Boasted of Removing Decryptor from Somnia Ransomware Mihir Bagwe (MihirBagwe) • November 14, 2022 A damaged Russian tracked armored fighting vehicle makred with a “Z” found in Luhansk Oblast, Ukraine (Image: State Border Guard Service of Ukraine)
Hackers operating in Russia successfully implanted downloads of network scanning software with an info stealer to spy on organizations in Ukraine and ultimately disrupt their operations through malicious encryption of data.
Ukraine’s Computer Emergency Response Team on Friday attributed a spate of attacks to a group known as From Russia with Love, also known as Z-Team. The letter “Z” has become a militarist symbol supportive of Russia’s invasion of Ukraine. CERT-UA tracks the group as UAC-0118.
The pattern of attack identified by CERT-UA is for initial access brokers to gain a toehold on targeted systems by embedding the Vidar info stealer into the download from websites masquerading as the website of Advanced IP Scanner, software for identifying devices on a local network.
Post-infection, From Russia with Love takes over with the end goal of introducing Somnia ransomware – but unlike most ransomware groups, doing so without the possibility of a decryptor and so permanently locking victims from accessing their files. The ransomware gets its name from the .somnia extension it adds to encrypted files.
The From Russia with Love Telegram site in August boasted of removing the decryption function in a post that included “Zelensky devil” as a justification for the infections. Ukranian President Volodymyr Zelenskyy on Monday visited the Ukranian city of Kherson hours after telling the country that investigators documented more than 400 war crimes during its Russian occupation.
CERT-UA says Vidar steals, among other things, Telegram session data allowing hackers to logon to the social media service, assuming that account holders haven’t configured two factor authentication. Hackers used Telegram to transfer VPN connection configuration files – again allowing hackers to re-establish the VPN connection in the absence of a multifactor authentication requirement.
Having gained access to an organization’s computer network, Russian hackers conducted reconnaissance, established permanence through a Cobalt Strike Beacon and exfiltrated data.