Somnia Ransomware

Russian hackers are using a new ransomware strain tracked as Somnia, to disrupt the normal activities of targets in Ukraine. Following the Russian invasion of the country of Ukraine, infosec researchers have continuously reported a drastic increase in the attack campaigns against Ukrainian government and private sector entities. Details about the Somnia Ransomware and its operators were published to the public in a report by CERT-UA (Computer Emergency Response Team of Ukraine).

Infection Chain

According to their findings, the cybercriminals responsible for the Somnia attacks belong to what is believed to be a pro-Russia hacktivist group named From Russia with Love (FRwL), also tracked as Z-Team and UAC-0118. The threat actors used the ransomware tool to impact the operation of automated systems, as well as electronic computing machines belonging to the breached target.

Infosec experts warn that FRwL utilizes a multi-layered infection chain that involves several, different threatening tools. The initial compromise vector is confirmed to be the download and execution of a weaponized installer masquerading as 'Advanced IP scanner' software. The fake file is being distributed through dedicated websites imitating legitimate Web portals. Employees of the targeted organization who fall for the trap will activate and install the Vidar Stealer threat on their computers.

The threat actors then use Vidar to obtain the victim's Telegram session data and subsequently take control of their accounts. The compromised accounts are leveraged by the attackers in a way that will allow them to collect VPN connection data. If the VPN lack sufficient 2FA (Two-Factor Authentication) the FRwL hackers would gain unauthorized access to the organization's corporate network. Afterward, the cybercriminals establish a Cobalt Strike beacon and proceed to exfiltrate sensitive data or perform additional surveillance activities.

The Somnia Ransomware Details

The Somnia Ransomware threat can impact a vast amount of different file types and encrypt them using a cryptographic algorithm. Each locked file will have '.somnia' appended to its original name. While most ransomware operations are financially motivated, this is not the case with Somnia. The attackers use their threatening tool more like a data wiper that will prevent the victim from accessing their data. The attackers do not request being paid a ransom, as that is not their main goal.

The researchers at CERT-UA note that Somnia appears to still be under active development. For example, earlier versions of the threat were equipped and relied on the symmetric 3DES algorithm. However, later iterations were switched to running the AES algorithm for the encryption of the targeted file types.