December 8, 2022
Several organizations in Ukraine have been infected with a new strain of ransomware, dubbed Somnia, in a recent wave of attacks by Russian hacktivists.The new ransomware encrypts systems, attempting to render its targets inoperative. Unlike other ransomware infections, Somnia doesn’t include a ransom note, as its developers allegedly disabled its decryption feature.Researchers from the Computer…

Several organizations in Ukraine have been infected with a new strain of ransomware, dubbed Somnia, in a recent wave of attacks by Russian hacktivists.

The new ransomware encrypts systems, attempting to render its targets inoperative. Unlike other ransomware infections, Somnia doesn’t include a ransom note, as its developers allegedly disabled its decryption feature.

Researchers from the Computer Emergency Response Team of Ukraine (CERT-UA) have pinned the attacks on the “From Russia with Love” (FRwL) hacking group in an announcement acknowledging the malicious campaign.

The cybercrime crew, also known as Z-Team and tracked as UAC-0118, claimed previous attacks against Ukrainian tank producers and revealed themselves as the creators of the Somnia ransomware in a Telegram group.

CERT-UA’s investigation revealed that the perpetrators spread the malware using fake websites masquerading as “Advanced IP Scanner” software. The rogue websites hosted a malicious installer cloaking the infamous Vidar stealer.

After it’s installed, Vidar would hijack the victims’ Telegram session, allowing threat actors to steal VPN configuration files, including authentication data and certificates from compromised devices. The lack of Multi-Factor Authentication (MFA) upon establishing a VPN connection granted the attackers unauthorized access to the organizations’ networks.

Once inside, the perpetrators performed network reconnaissance, deployed Cobalt Strike beacons, exfiltrated data and spread the Somnia ransomware. The malware targets a wide range of file types, including databases, archives, photos, videos and documents, and appends the “.somnia” extension after encrypting them.

According to CERT-UA’s announcement, Somnia has undergone some changes, given that it switched from the symmetric 3DES algorithm to AES. Also, unlike its first iteration, the recently spotted version of the ransomware lacks a decryption feature, leading researchers to believe that the attackers are more interested in damaging operations than extorting money from their victims.

Dedicated security software such as Bitdefender Ultimate Security can keep you safe from ransomware and other cyberthreats, with features like:

  • All-around, continuous protection against viruses, Trojans, ransomware, spyware, rootkits, zero-day exploits, worms, and other e-threats
  • Multi-layer ransomware protection that safeguards your documents from all types of ransomware attacks
  • Network threat prevention module that identifies and repels suspicious network-level activities
  • Advanced threat defense that monitors active apps and takes instant action upon identifying suspicious activity

Source