Somnia Ransomware Used against Ukrainian Targets

ukraine bot farms security wipeout

Ukrainian CERT warned of a new family of ransomware deployed by Russian threat actors and used to target entities located in Ukraine. The new ransomware family is called Somnia and experts believe it is linked with a "hacktivist" group called From Russia with Love, also known under the alias UAC-0018.

At least one attack involved a sample of the Vidar stealer malware being distributed as a malicious false copy of an application called Advanced IP Scanner.

The entity that ran Vidar on the victim's network "transferred" the data stolen in the breach to the hacktivists at UAC-0018 and they used it to deploy Somnia on the victim's systems.

Vidar was used to compromise the victim's Telegram account and steal VPN login information for accounts that did not have multi-factor authentication enabled.

Even though Somnia is classified as a ransomware variant and family, the hackers working with From Russia with Love did not ask for any ransom. In that sense, Somnia is more of a destructive tool aimed at disrupting victim operations and rendering their systems inoperable and is not ransomware in the traditional sense of the word, where extortion and some sort of payment are involved.

The report on Somnia states that even the authors of the malware do not even have the capabilities to decrypt files, making it a destructive tool.

November 15, 2022