Since the beginning of the Russian-Ukraine war in February, both countries are continuously launching cyberattacks against each other. Recently, CERT-UA released an alert regarding a new ransomware strain called Somnia that has ties with Russian cyberattackers “From Russia with Love” (FRwL), also known as Z-Team or UAC-0118.

The target

CERT-UA has confirmed that the attacks are from the Russian hacking group FRwL, who had previously disclosed creating Somnia on Telegram.
  • FRwL is launching attacks against automated systems and electronic computing machines belonging to Ukrainian organizations.
  • The group even posted evidence of attacks against tank producers in Ukraine.
  • However, Ukraine has not confirmed any successful encryption. 

The infection chain

FRwL is getting help from initial access brokers and other involved groups for its attacks.
  • For initial compromise, it uses fake sites that mimic the Advanced IP Scanner software to trick target employees into downloading an installer for Vidar stealer.
  • Vidar steals the victim's Telegram session and abuses it to transfer VPN connection details (including configuration files, certificates, and authentication data) to users. If VPN isn't protected with 2FA or a passcode, hackers use it to gain unauthorized access to the corporate network.
  • Once the intruders gain remote access to the corporate network, they conduct reconnaissance, launch a Cobalt Strike Beacon, and exfiltrate data. 

Furthermore, they use tools such as Netscan, Rсlone, Anydesk, and Ngrok to perform various surveillance and remote access activities.

More on Somnia strain

  • Somnia has undergone several changes and emerged as a data wiper. In the latest attacks, it doesn't provide any possibility of data decryption that shows its operators are more interested in disrupting the target's operations than generating revenue.
  • The latest Somnia variant relies on the AES algorithm, whereas the first version was using the symmetric 3DES algorithm.
  • It targets several file types, including documents, images, databases, archives, video files, and more, and appends the .somnia extension to the encrypted file's names when encrypting files.


Amidst the Russia-Ukraine war, several attacks have been launched and many essential, as well as critical infrastructures, have suffered the most. All organizations, regardless of size and region, are suggested to be prepared to respond to disruptive cyberattacks and adopt a high posture when it comes to cybersecurity and protecting their most critical assets.
Cyware Publisher