Russian hackers have new ransomware at work, CERT-UA, Ukraine’s Computer Emergency Response Team, has detected. It is a ransomware virus called “Somnia”, attributed to the group From Russia with Love (FRwL) —also known as Z-Team or UAC-0118. The group publicized the creation of the ransomware on Telegram and even posted evidence of attacks against tank producers in Ukraine.
The virus, unlike a common ransomware (which would lead the infected to be blackmailed, charging a ransom), encrypts data and works to wipe it out and cause operational issues🇧🇷 Despite the security report, Ukraine has not confirmed whether hackers managed to conduct a successful attack with this new solution, although the FRwL group has already carried out attacks on computers of Ukrainian organizations.
According to CERT-UA, hackers create fake websites that imitate the “Advanced IP Scanner” software to trick people into downloading an installer that ends up infecting the system with the Vidar virus, which steals data from the victim’s Telegram session to take over control of your account.
Hence, the hackers would threaten to abuse the victim’s Telegram account —in some way, not specified by the Ukrainians—to steal VPN connection data.
If the VPN account is not protected by two-factor authentication, hackers will use it to gain unauthorized access to the victim’s employer’s corporate network. Then, the ransomware scans the user’s data and goes after different types of files —from text files, photos, videos, etc.— and encrypts them with the “.somnia” extension.
The data remains on the affected devices, but is rendered useless in a way that cannot be recovered by victims.