Sandworm spawns monstrous new offspring

A new strain of ransomware linked to the Russian-affiliated threat group Sandworm has been spotted in the wild, targeting Ukrainian organizations.

The announcement was made on Twitter by cyber analyst ESET, which said the malware coding was new but similar to previous attacks launched by Sandworm.

ESET notified Ukraine’s national cyber-watchdog CERT-UA on November 21 and has dubbed the new strain RansomBoggs.

“While the malware written in .NET is new, its deployment is similar to previous attacks attributed to Sandworm,” said ESET.

In a bizarre idiosyncracy not uncommon among cybercriminals, the gang makes references to the popular 2001 animated film Monsters, impersonating voice-actor star James P. Sullivan in an apparent effort to mimic his ‘boogeyman’ antics in the movie.

“Dear human life forms!” begins the ransom note reposted on Twitter by the gang behind RansomBoggs. “This is James P. Sullivan, an employee of Monsters Inc. Recently our company has experienced great financial problems and we require some cash to move on with our electronic crap.”

The teasing intro sets up the verbal payload, which consists of the usual notification of illegal data encryption – by which ransomware actors render a company’s vital information unusable until a fee is paid – followed by submission of contact details to begin ‘negotiations.’

“I am extremely sorry but I am encrypting your documents using AES-128,” it reads. “This key is encrypted using [standard encryption program] RSA. Please DO NOT WORRY! I have a decrypting functionality too.”

ESET added that files and coding used in this process are also named after allusions to Monsters, and that the most recent cyberattacks bear the hallmarks of those previously launched by Sandworm, including the use of the PowerShell computer script to distribute ransomware that is “almost identical to the one seen last April during the Industroyer2 attacks against the energy sector.”

Known as PowerGap to the Ukrainian cyber authorities, PowerShell was also used to deploy CaddyWiper malware against Ukrainian infrastructure in April this year, shortly after Russia invaded its neighbor.

More from Cybernews:

Escort ad spam and China COVID protests

Return of Bob Iger hints at Disney's metaverse plans

Are AR glasses destined to replace smartphones?

FC Barcelona’s official website exploited for fraud

How crypto crime is financing North Korean missiles

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked