Sandworm hacking group linked to new ransomware deployed in Ukraine

The notorious state-backed Russian hacking group known as Sandworm may be behind a new wave of ransomware attacks in Ukraine, according to new research from cybersecurity company ESET.

Malware called RansomBoggs hit several organizations in Ukraine before it was discovered by the Slovakia-based firm last week.

The attack carried multiple references to the animated film Monsters, Inc. The ransom note sent to infected computers was purportedly written on behalf of the movie’s main protagonist, the monster James P. Sullivan, whose job in the film was to scare kids.

On November 21st #ESETResearch detected and alerted @_CERT_UA of a wave of ransomware we named #RansomBoggs, deployed in multiple organizations in Ukraine. While the malware written in .NET is new, its deployment is similar to previous attacks attributed to #Sandworm. 1/9 pic.twitter.com/WyxzCZSz84

— ESET Research (@ESETresearch) November 25, 2022

In the ransom note, Sullivan asks for financial help and apologizes for the “inconvenience.” 

“We are relying on you in these hard times and are crying for help,” the note reads.

The executable file and the hackers’ Telegram account are also named Sullivan, and references to the movie are also present in the code. 

At least five Ukrainian organizations were targeted by RansomBoggs, ESET spokeswoman Yulia Andrienko told The Record. The company hasn't detected attacks of this ransomware family outside of Ukraine.

The deployment of RansomBoggs is similar to previous attacks attributed to Sandworm, which was linked to the NotPetya cyberattack in 2017 that disrupted Ukrainian government organizations, banks, media, and electricity suppliers.

RansomBoggs appears to be faux ransomware — the authors aren't interested in making money from extorting victims, but are using it primarily to disrupt organizations by locking up their data, according to Andrienko. She also said the ransomware itself is fairly standard, aside from the Monsters Inc. theme.

Sandworm has been active in Ukraine since the start of Russia's full-scale invasion in February and has been linked to other destructive attacks, including a cyberattack on a Ukrainian energy provider in April using a new variant of the Industroyer malware.

RansomBoggs generates a random key and encrypts files using AES-256 in CBC mode (not AES-128 like mentioned in the ransom note), and appends the .chsch file extension. The key is then RSA encrypted and written to aes.bin. 6/9 pic.twitter.com/ilRt2hZtAt

— ESET Research (@ESETresearch) November 25, 2022

As in the Industroyer2 attack, hackers used the PowerShell script, called POWERGAP, to deploy RansomBoggs payloads from the domain controller on the victims' networks.

PowerShell script was also used to deliver destructive CaddyWiper malware in attacks that affected several dozen systems at Ukrainian organizations in March.

Last month, Microsoft warned of a similar operation in Ukraine and Poland in which ransomware called Prestige hit transportation and logistics companies. Microsoft officially attributed cyberattacks featuring Prestige ransomware to a Russian hacking group called Iridium, which overlaps with Sandworm.

During Russia's war in Ukraine, researchers have found many types of malware used by hackers linked to the Kremlin, including AcidRain, WhisperGate, WhisperKill, HermeticWiper, IsaacWiper, CaddyWiper and DoubleZero. Often, Russian hackers rework existing malware, as in the case of Industroyer2.

Every day, Russia carries out about 10 cyberattacks targeting Ukrainian critical infrastructure, Ukrainian cybersecurity official Viktor Zhora said at the ForbesTech conference in November. He did not elaborate on the severity of the attacks or their impact.