New Somnia ransomware targets Ukrainian orgs

New Somnia ransomware targets Ukrainian orgs

The Computer Emergency Response Team of Ukraine (CERT-UA) released details regarding recent attacks that targeted organizations in the country with a new ransomware strain called “Somnia.”

The agency attributed the attacks to a Russia-linked hacker group FRwL (aka Z-Team), which it tracks as UAC-0118. To gain initial access to a victim network the treat actor used fake “Advanced IP Scanner” software spread via bogus websites mimicking official sites that, in reality, downloaded the Vidar stealer, which steals the victim's Telegram session data to take control of their account.

The attackers then abused the victim’s Telegram account to steal VPN connection data (authentication and certificates) and used VPN connection to break into the corporate network (if the victim’s VPN account is not protected by two-factor authentication).

Once in the network, the hackers used a variety of tools, such as Netscan, Cobalt Strike Beacon, Anydesk, Ngrok, and Rсlon to conduct reconnaissance and exfiltrate data.

CERT-UA said that UAC-0118 has been targeting organizations in Ukraine since the spring of 2022. The agency also noted the Somnia ransomware went through some modifications, with the latest samples using the AES algorithm, whereas the previous versions relied on 3DES. It appears that the decryption function was also removed from the latest version, essentially turning the malware into a tool of destruction, rather than a way to earn money.

Back to the list

Latest Posts

Cyber Security Week in Review: May 30, 2025

Cyber Security Week in Review: May 30, 2025

In brief: 9,000 ASUS routers hacked in a botnet campaign, a new Russian state-backed APT discovered, and more.
30 May 2025
Chinese state-backed hackers using Google Calendar for cyberespionage

Chinese state-backed hackers using Google Calendar for cyberespionage

The attack chain begins with spear-phishing emails containing a ZIP archive hosted on the compromised site.
29 May 2025
Over 9,000 ASUS routers compromised in nation-state-like AyySSHush botnet campaign

Over 9,000 ASUS routers compromised in nation-state-like AyySSHush botnet campaign

The attackers reportedly use a mix of brute-force login attempts, authentication bypasses, and old bugs to gain persistent access.
29 May 2025