Russian hackers release new ‘ransom-free’ ransomware

One of Ukraine’s cybersecurity bodies has reported that Russia is using a new type of Ransomware strain, called “Somnia”, to attack their systems and create an operational deadlock.

The technique relies on the victim organizations not having two-factor authentication enabled on their Business VPN accounts, which are then used to access their wider network.

Unusually, the ransomware is designed to disrupt major Ukrainian organizations, rather than hold data hostage for a price. But once the war subsides, who knows where the hacking groups – with weapons like this – will turn their attention.

Sleepy Greaves

The National Computer Emergency Response Team for Ukraine (CERT-UA) has now reported several attacks involving Somnia ransomware.

Z-Team, the Russia-associated hacking group believed to be responsible for proliferating the strain, has detailed how they used the ransomware for Ukrainian attack tank makers on the encrypted messaging app Telegram (where they go by another nickname, “From Russia with love” (FRwL)).

The attack is the latest development in the cyberwar raging alongside its ground and air invasion of Ukrainian territory, which began in February 2022.

How does Somnia work?

The hacking group has faked fake sites that claim to provide free downloadable IP scanners, but instead load malware onto the devices of unsuspecting victims.

This is used to subsume control telegram accounts, which in turn are used to gain VPN access (unless the user’s account is protected by two-factor authentication) and subsequently the whole of the network on which they operate.

One Cobalt Strike beacon later, and data exfiltration and remote network access begins.

These attacks have been ongoing since the spring of this year, but Somnia’s attacks no longer rely on the 3DES symmetric key block cipher, as they now rely on the Advanced Encryption Standard (AES).

Cyberattacks are only getting worse

Seeing new strains of ransomware deployed during times of war should send a stark warning to businesses about the rapid evolution and ubiquity of cyber threats.

Data breaches are now almost daily occurrences and ransomware attacks are often financially fatal for businesses, especially small businesses, which are the demographics most at risk from cyberattacks.

As with many attacks, they rely on human error in the present (mistaking a fake website for a real one) and human error in the past (not enabling two-factor authentication on a Business VPN Account).

That’s why it’s so important to train staff to spot the telltale signs of cyberattacks, while continuously reinforcing the importance of multi-factor authentication and using strong, unique passwords.

Previous Leader of Rutland County Council reflects on global issues and the pressure they are under locally
Next Refinance an existing credit with debt consolidation