"Ukraine Says Russian Hacktivists Use New Somnia Ransomware"

Russian hackers infected multiple Ukrainian organizations with a new ransomware called 'Somnia.' The Computer Emergency Response Team of Ukraine (CERT-UA) confirmed the outbreak in an announcement on its portal, attributing the attacks to 'From Russia with Love (FRwL),' also known as 'Z-Team,' which they track as UAC-0118. On Telegram, the group previously admitted to developing the Somnia ransomware and even posted evidence of attacks against Ukrainian tank manufacturers. The hacking group uses fake websites that look like the 'Advanced IP Scanner' software to trick Ukrainian organization employees into downloading an installer. The installer deploys the Vidar stealer, which steals the victim's Telegram session data in order to take control of their account. The threat actors then use the victim's Telegram account in an unspecified manner to steal Virtual Private Network (VPN) connection data. If the VPN account is not secured with two-factor authentication (2FA), the hackers use it to gain unauthorized access to the victim's employer's corporate network. The intruders set up a Cobalt Strike beacon, steal data, and use Netscan, Rclone, Anydesk, and Ngrok to conduct various surveillance and remote access operations. According to CERT-UA, FRwL has launched several attacks on computers belonging to Ukrainian organizations since the spring of 2022, with the assistance of initial access brokers. The agency also points out that the most recent samples of the Somnia ransomware strain used in these attacks utilize the AES algorithm, whereas Somnia previously used the symmetric 3DES algorithm. This article continues to discuss the Russian hacktivists' use of a new Somnia ransomware strain.

Bleeping Computer reports "Ukraine Says Russian Hacktivists Use New Somnia Ransomware"