ESET researchers have revealed that a new ransomware called RansomBoggs is targeting the networks of several Ukrainian organizations. The activity is related to the well-known Russian military threat group Sandworm.

Top findings

Researchers have attributed RansomBoggs attacks to the Sandworm APT actor based on similarities with previous attacks conducted by the group.
  • POWERGAP, a Powershell script used in this attack, is the linking key between RansomBoggs and Sandworm. It is identical to the script observed during the Industroyer2 attacks in April against the energy sector.
  • The same script was used to deliver destructive CaddyWiper malware in attacks against Ukrainian organizations in March.

Working of RansomBoggs

RansomBoggs is a new malware written in .NET. However, its distribution method is similar to Sandworm’s previous attacks.
  • A PowerShell script called POWERGAP is used to deploy RansomBoggs payloads from the domain controller on the victims' networks.
  • After deployment, RansomBoggs encrypts files using AES-256 in CBC mode using a randomly generated, RSA-encrypted (variant-specific) key written to aes.bin. It adds a .chsch extension to all encrypted files.
  • The ransomware drops ransom notes, with a pretense to be written by James P. Sullivan, the lead character of the Monsters Inc movie, on encrypted systems. It is written in a tone of asking for financial help in a tough time and asks the victim to contact the provided email address.

Highlights of Sandworm’s relentless efforts

Sandworm is comprised of elite Russian hackers active for at least two decades.
  • In early November, Microsoft linked the Sandworm group (tracked as IRIDIUM) to Prestige ransomware attacks targeting transportation and logistics organizations in Ukraine and Poland since October.
  • In February, the cyber agencies in the U.S. and the U.K. issued a joint security advisory delineating the connection between Cyclops Blink botnet (before its disruption) and Sandworm.


Sandworm’s linkage with the new RansomBoggs indicates that the group is actively enhancing its toolset to make its attacks efficient. Moreover, the development of malware such as RansomBoggs and Prestige provides a clear indication of the motives of this financially motivated group. Ukrainian organizations are suggested to follow the best practices and security tips to stay protected.
Cyware Publisher