Recent ransomware attacks by the Russian-based ransomware family tracked as RansomBoggs Ransomware has targeted a number of Ukrainian organizations, according to researchers.
The attacks against various Ukrainian companies were first discovered on November 21, 2022, according to the security firm that dubbed the new ransomware strain, RansomBoggs.
“While the malware written in .NET is new, its deployment is similar to previous attacks attributed to Sandworm,” the company stated, in a series of tweets on Friday,
Sandworm aka BlackEnergy and TeleBots has been active since 2000 and is controlled by Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).
Microsoft reported a similar campaign in October that targeted companies in the logistics and transportation industries with the ransomware called Prestige and the attacks were attributed to Sandworm.
The code of the RansomBoggs ransomware shows that the threat actors make several references to the Pixar movie Monsters, Inc. The ransom note, SullivanDecryptsYourFiles.txt, shows that the threat actors imitating the movie’s main character, James P. Sullivan, and the executable file is likewise entitled Sullivan.version?>.exe.
The ransomware employs a PowerShell script, which specialists discovered is ‘almost identical’ to the one used in Industroyer2 attacks on the energy industry that came to light in April.
The POWERGAP PowerShell script was used to deploy CaddyWiper data wiper malware via a loader called ArguePatch also known as AprilAxe.
RansomBoggs encrypts files in CBC mode with AES-256 and appends the .chsch extension to the encrypted files. The key is then written to aes.bin after being RSA encrypted.
Over the years, the Sandworm threat actor group has had a well-known history of attacking vital infrastructure over the years. The group is also responsible for the NotPetya ransomware, causing billion worth of losses to hundreds of companies around the world in June 2017.