Toni Dimaano Tech 11.13.2022 21:Nov PM EST

Ukraine Claims Russian Hackers Infiltrate Systems With New Somnia Ransomware

Russian hackers have made their way inside multiple Ukrainian organizations, encrypting their systems with a new strain of ransomware called "Somnia."

The Somnia ransomware infected these systems and caused operational problems in the ongoing war, the Computer Emergency Response Team of Ukraine (CERT-UA) confirms.

CERT-UA Suspects That 'Z-Team' Is Responsible For The Attack

The ransomware attack that targeted Ukrainian organizations and operational systems is believed to be caused by 'FRom Russia with Love' (FRwL).

CERT-UA named FRwL, also known as Z-Team, as the possible masterminds behind the cyber crime outbreak in Ukraine, Bleeping Computer writes.

According to CERT-UA's announcement, the group had previously revealed that they created the Somnia ransomware on Telegram, even posting evidence of the attacks they made against Ukrainian tank producers.

The organization details that the FRwL uses fake sites to copy the "Advanced IP Scanner" software to urge Ukraine's organizations' employees to download the ransomware into their devices.

The ransomware then infects the system with the Vidal stealer, taking the victim's session data to take control of their Telegram accounts.

With this, the hackers use the Telegram accounts they acquired to stream VPN connection data to get unauthorized access to the employer's corporate network.

The Z-Team deploys a Cobalt Strike beacon before exfiltrating data, and using Netscan, Rclone, Anydesk, and Ngrok to surveillance and access the organizations' activities.

The ransomware, appended with the .somnia extension, targets documents, images, databases, archives, videos, and more.

According to Bleeping Computer, the hackers have not confirmed any successful encryption, but they are adamant about disrupting Ukraine's operations rather than getting ransom payments or revenue.

Due to this information, CERT-UA believes that this malware aims to wipe out data unlike traditional ransomware attacks.

Cyberwar Between Russia and Ukraine

Since the invasion of Ukraine unfolded on the physical war ground, Russia has waged cyber attacks to hack the former's operations.

According to Wired, cyber analysts believe that the hackings launched by Russia as part of its war tactics allow for quicker intrusions by going straight to the databases.

By breaching databases, multiple targets can be affected at the same time, destroying as many systems as possible in a short amount of time.

Mandiant analysts Gabby Roncone and John Wolfram say that starting an online warfare will get Russia more immediate effects with data-destroying wiper malware.

Wired reports that the FRwL attack was not the only incident Ukraine had to deal with in recent months, as Russia deployed a Prestige ransomware attack targeting Ukrainian transportation and logistics in March.

Microsoft's Threat Intelligence Center (MSTIC) also revealed that the victims of this ransomware attack in Poland and Ukraine were also targets of the HermeticWiper malware in February.

With this, Ukraine's cybersecurity agency is on the lookout for possible consequences of these malware attacks as Russia quickens the pace of its cyber operations.

While the country's State Services for Special Communication and Information Protection says that the hacking methods deployed by Russia are not flashy, they still warn of the serious consequences they can inflict.