RansomBoggs Attacks in Ukraine Linked To Russian Hackers

Top findings

• POWERGAP, a Powershell script used in this attack, is the linking key between RansomBoggs and Sandworm. It is identical to the script observed during the Industroyer2 attacks in April against the energy sector.
• The same script was used to deliver destructive CaddyWiper malware in attacks against Ukrainian organizations in March.

Working of RansomBoggs

• A PowerShell script called POWERGAP is used to deploy RansomBoggs payloads from the domain controller on the victims' networks.
• After deployment, RansomBoggs encrypts files using AES-256 in CBC mode using a randomly generated, RSA-encrypted (variant-specific) key written to aes.bin. It adds a .chsch extension to all encrypted files.
• The ransomware drops ransom notes, with a pretense to be written by James P. Sullivan, the lead character of the Monsters Inc movie, on encrypted systems. It is written in a tone of asking for financial help in a tough time and asks the victim to contact the provided email address.

Highlights of Sandworm’s relentless efforts

• In early November, Microsoft linked the Sandworm group (tracked as IRIDIUM) to Prestige ransomware attacks targeting transportation and logistics organizations in Ukraine and Poland since October.
• In February, the cyber agencies in the U.S. and the U.K. issued a joint security advisory delineating the connection between Cyclops Blink botnet (before its disruption) and Sandworm.

Conclusion