The new ransomware was discovered by the cybersecurity company ESET, which named the malware RansomBoggs and reported that it had been used in attacks against several Ukrainian organizations since November 21, 2022. Although the malware is written in .NET and is completely new, its deployment process is very similar to that of other malware by the Sandworm group.
This incident occurred after Sandworm attacked transport and logistics companies in Poland and Ukraine using a new ransomware called Prestige.
According to ESET researchers, a PowerShell script is used to distribute RansomBoggs, which is almost identical to the script used by the attackers to infect victims with the Industroyer2 malware. This script is called POWERGAP and was previously used to deploy the CaddyWiper using the ArguePatch (aka AprilAxe) loader.
RansomBoggs analysis showed that the program generates a random key and encrypts files using AES-256 in CBC mode, after which it adds the ".chsch" extension to everything encrypted.
Recall that the Sandworm group recently attacked arms suppliers for Ukraine using the Prestige malware. The hackers used three methods to infect companies from Eastern Europe.