Ukraine CERT Warns on Somnia ransomware

Cyber experts from Ukraine discovered a new attack campaign by suspected Russian threat actors that compromise victims’ VPN accounts to access and encrypt networked resources.

The Somnia ransomware was being used by the FRwL (aka Z-Team), also identified as UAC-0118.

Initial compromise is achieved by tricking victims into downloading “Advanced IP Scanner” software which contains Vidar malware. CERTU-UA believes this was achieved by initial access brokers (IABs) working for the Russians.

Once inside, attackers conducted reconnaissance work using the Netscan tool and then launched Cobalt Strike Beacon, exfiltrating data using the Rclone program. There are also signs of the threat actors using Anydesk and Ngrok at this stage.

It’s unclear how widespread the campaign was, although “several” Ukrainian organizations are thought to have been impacted since spring 2022.

CERT-UA confirmed that the end goal is not to generate profits from a ransom but to destroy victim environments. The Somnia malware has also undergone changes. The first version of the program used the symmetric 3DES algorithm. In the second version, the AES algorithm is implemented.

At the same time, considering the dynamics of the key and the initialization vector, this version of Somnia, does not provide for the possibility of data decryption.

Indicators of Compromise

• 100c5e4d5b7e468f1f16b22c05b2ff1cfaa02eafa07447c7d83e2983e42647f0
• ac5e68c15f5094cc6efb8d25e1b2eb13d1b38b104f31e1c76ce472537d715e08
• 99cf5c03dac82c1f4de25309a8a99dcabf964660301308a606cdb40c79d15317
• 156965227cbeeb0e387cb83adb93ccb3225f598136a43f7f60974591c12fafcf
• e449c28e658bafb7e32c89b07ddee36cadeddfc77f17dd1be801b134a6857aa9
• fbed7e92caefbd74437d0970921bfd7cb724c98c90efd9b6d0c2ac377751c9e5
• 06fe57cadb837a4e3b47589e95bb01aec1cfb7ce62fdba1f4323bb471591e1d2
• 1e0facd62d1958ccf79e049270061a9fce3223f7986c526f6f3a93ef85180a72
• 1f4c5ab072f384b9adfafd35903c5b54b8a3ad167250728d0d400454300a4367