The Russian criminal crew Sandworm is launching another attack against organizations in Ukraine, using a ransomware that analysts at Slovakian software company ESET are calling RansomBoggs.
In a Twitter thread, the ESET researchers wrote that they had detected RansomBoggs deployed within the networks of “multiple organizations in Ukraine.” While some aspects of RansomBoggs are different from the malware that has been linked to Sandworm – such as the malware’s code being written in .NET – the deployment methods are similar, they wrote.
“There are similarities with previous attacks conducted by #Sandworm: a PowerShell script used to distribute the .NET ransomware from the domain controller is almost identical to the one seen last April during the #Industroyer2 attacks against the energy sector” that were attributed to Sandworm.
ESET notified Ukrainian cyber security officials about RansomBoggs.
The malware’s payload is deployed into the organization’s network via the PowerShell script, which the Computer Emergency Response Team in Ukraine calls PowerGap and which was used in attacks in Ukraine in March to deliver the CaddyWiper malware, using the ArguePatch loader, according to ESET.
With RansomBoggs, Sandworm adds a cartoonish flair to its serious attacks with references to the 2001 Pixar animated movie Monsters, Inc. The attackers address the ransom note to “Dear human life form!” and introduce themselves as “James P. Sullivan, an employee of Monsters, Inc.” James P. Sullivan is the name of the movie’s protagonist – a monster with blue and green fur.
The note is SullivanDecryptsYourFiles.txt, the executable also is named Sullivan and references to the movie also are in the code, according to the ESET researchers. In addition, victims are instructed to reply to the attackers at m0nsters-inc@proton.
The ransomware generates a random key that is RSA encrypted and encrypts files using AES-256 in CBC mode, though the note says it uses AES-128. It also includes a .chsch extension to files that have been encrypted.
“Depending on the malware variant, the RSA public key can either be hardcoded in the malware sample itself or provided as argument,” ESET wrote.
Sandworm is linked to Unit 74455 of the GRU – Russia’s military intelligence outfit – and has been active for since at least the 1990s, including in the suspected development of the NotPetya ransomware in 2017.
The group targeted Ukraine during Russia’s 2014 invasion and subsequent occupation of Crimea and has been active since the country launched its latest illegal attack on Ukraine.
In April, the US announced a $10 million reward for information on six Russian GRU offers linked to Sandworm, accusing them of planning to carry out cyber attacks against American critical infrastructure.
More recently, Sandworm was behind a malware campaign in August reported by cyber security firm Recorded Future that targeted Ukrainian organizations by masquerading as Ukrainian telecommunications service providers and another detected by Microsoft in which Sandworm – which Microsoft refers to as Iridium – launched the Prestige ransomware in October against transportation and logistics industries in Ukraine and Poland.
In their report, researchers with Microsoft’s Security Threat Intelligence unit wrote that Iridium “has been consistently active in the war in Ukraine and has been linked to destructive attacks since the start of the war.”
The Prestige campaign – which aimed at entities in both Ukraine and Poland – showed a possible shift in the group’s “destructive attack calculus, signaling increased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukraine,” they wrote.
“More broadly, it may represent an increased risk to organizations in Eastern Europe that may be considered by the Russian state to be providing support relating to the war.” ®