The Russian hacktivists introduced a new ransomware strain called Somnia that hit Multiple Ukrainian enterprises and encrypted their computers and disrupted operations.

In a statement published on its website, the Computer Emergency Response Team of Ukraine (CERT-UA) announced the outbreak and attributed the attacks to “From Russia with Love” (FRwL), also known as “Z-Team,” who they track as UAC-0118. Ukraine claims Russian hackers are using the latest Somnia ransomware.

On Telegram, the group previously admitted to developing the Somnia ransomware and even shared evidence of assaults against Ukrainian tank manufacturers.

FRwL attack details

According to CERT-UA, the hacking group deceives Ukrainian organization employees into downloading an installer by using fake websites that look exactly like the ‘Advanced IP Scanner’ software.

FRwL attack
The fake website used for dropping Vidar Stealer (CERT-UA)

In actuality, the installer installs the Vidar stealer, which hijacks the victim’s account by stealing their Telegram session data.

The threat actors accessed the victim’s Telegram account in some undefined way to acquire VPN connection data, according to CERT-UA (authentication and certificates).

The hackers use the VPN account to gain unauthorized access to the victim’s employer’s corporate network if it isn’t secured by two-factor authentication.

The attackers then set up a Cobalt Strike beacon, stole information, and carry out various remote access and surveillance tasks using Netscan, Rclone, Anydesk, and Ngrok.

Also, read Ukraine-Targeting Malware Indicators Revealed By US Cyber Command

Since the spring of 2022, according to CERT-UA, FRwL has launched a number of attacks on computers belonging to Ukrainian organizations with the aid of initial access brokers.

The agency further warns that while Somnia initially used the symmetric 3DES technique, the most recent samples of the ransomware strain used in these assaults rely on the AES algorithm.

The ransomware strain Somnia targets various file types (extensions), including documents, photos, databases, archives, video files, and more, as indicated below.

File types encrypted by the Somnia ransomware
File types encrypted by the Somnia ransomware (CERT-UA)

When encrypting files, the ransomware will add the .somnia extension to the names of the files.

Somnia’s operators are more concerned with disrupting the target’s operations than making money, hence they do not ask the victims to pay a ransom in exchange for a working decryptor.

Therefore, this classic ransomware attack rather it is a data wiper.