Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime

Russian Hackers Target Ukraine With Malicious Encryption

From Russia with Love Group Boasted of Removing Decryptor from Somnia Ransomware
Russian Hackers Target Ukraine With Malicious Encryption
A damaged Russian tracked armored fighting vehicle marked with a "Z" found in Luhansk Oblast, Ukraine (Image: State Border Guard Service of Ukraine)

Hackers operating in Russia successfully implanted downloads of network scanning software with an info stealer to spy on organizations in Ukraine and ultimately disrupt their operations through malicious encryption of data.

See Also: Panel | Cyberattacks Are Increasing — And Cyber Insurance Rates Are Skyrocketing

Ukraine's Computer Emergency Response Team on Friday attributed a spate of attacks to a group known as From Russia with Love, also known as Z-Team. The letter "Z" has become a militarist symbol of support for Russia's invasion of Ukraine. CERT-UA tracks the group as UAC-0118.

The pattern of attack identified by CERT-UA is for initial access brokers to gain a toehold on targeted systems by embedding the Vidar info stealer into the download from websites masquerading as the website of Advanced IP Scanner - software for identifying devices on a local network.

Post-infection, From Russia with Love takes over with the end goal of introducing Somnia ransomware. But unlike most ransomware groups, it does so without the possibility of a decryptor and therefore permanently locks victims from accessing their files. The ransomware gets its name from the .somnia extension it adds to encrypted files.

The From Russia with Love Telegram site in August boasted of removing the decryption function in a post that included "Zelensky devil" as a justification for the infections. Ukrainian President Volodymyr Zelenskyy on Monday visited the Ukrainian city of Kherson hours after telling the country that investigators had documented more than 400 war crimes during its Russian occupation.

CERT-UA says Vidar steals, among other things, Telegram session data allowing hackers to log on to the social media service, assuming that account holders haven't configured two-factor authentication. Hackers used Telegram to transfer VPN connection configuration files - again allowing hackers to reestablish the VPN connection in the absence of a multifactor authentication requirement.

Having gained access to an organization's computer network, Russian hackers conducted reconnaissance, established permanence through a Cobalt Strike Beacon and exfiltrated data.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.