Sandworm hacking group linked to new ransomware deployed in Ukraine
Image: Aurelien Romain, The Record
Daryna Antoniuk November 29, 2022

Sandworm hacking group linked to new ransomware deployed in Ukraine

Sandworm hacking group linked to new ransomware deployed in Ukraine

The notorious state-backed Russian hacking group known as Sandworm may be behind a new wave of ransomware attacks in Ukraine, according to new research from cybersecurity company ESET.

Malware called RansomBoggs hit several organizations in Ukraine before it was discovered by the Slovakia-based firm last week.

The attack carried multiple references to the animated film Monsters, Inc. The ransom note sent to infected computers was purportedly written on behalf of the movie’s main protagonist, the monster James P. Sullivan, whose job in the film was to scare kids.

In the ransom note, Sullivan asks for financial help and apologizes for the “inconvenience.” 

“We are relying on you in these hard times and are crying for help,” the note reads.

The executable file and the hackers’ Telegram account are also named Sullivan, and references to the movie are also present in the code. 

At least five Ukrainian organizations were targeted by RansomBoggs, ESET spokeswoman Yulia Andrienko told The Record. The company hasn’t detected attacks of this ransomware family outside of Ukraine.

The deployment of RansomBoggs is similar to previous attacks attributed to Sandworm, which was linked to the NotPetya cyberattack in 2017 that disrupted Ukrainian government organizations, banks, media, and electricity suppliers.

RansomBoggs appears to be faux ransomware — the authors aren’t interested in making money from extorting victims, but are using it primarily to disrupt organizations by locking up their data, according to Andrienko. She also said the ransomware itself is fairly standard, aside from the Monsters Inc. theme.

Sandworm has been active in Ukraine since the start of Russia’s full-scale invasion in February and has been linked to other destructive attacks, including a cyberattack on a Ukrainian energy provider in April using a new variant of the Industroyer malware.

As in the Industroyer2 attack, hackers used the PowerShell script, called POWERGAP, to deploy RansomBoggs payloads from the domain controller on the victims’ networks.

PowerShell script was also used to deliver destructive CaddyWiper malware in attacks that affected several dozen systems at Ukrainian organizations in March.

Last month, Microsoft warned of a similar operation in Ukraine and Poland in which ransomware called Prestige hit transportation and logistics companies. Microsoft officially attributed cyberattacks featuring Prestige ransomware to a Russian hacking group called Iridium, which overlaps with Sandworm.

During Russia’s war in Ukraine, researchers have found many types of malware used by hackers linked to the Kremlin, including AcidRain, WhisperGate, WhisperKill, HermeticWiper, IsaacWiper, CaddyWiper and DoubleZero. Often, Russian hackers rework existing malware, as in the case of Industroyer2.

Every day, Russia carries out about 10 cyberattacks targeting Ukrainian critical infrastructure, Ukrainian cybersecurity official Viktor Zhora said at the ForbesTech conference in November. He did not elaborate on the severity of the attacks or their impact.

Daryna Antoniuk is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.