The Computer Emergency Response Team of Ukraine (CERT-UA) released details regarding recent attacks that targeted organizations in the country with a new ransomware strain called “Somnia.”
The agency attributed the attacks to a Russia-linked hacker group FRwL (aka Z-Team), which it tracks as UAC-0118. To gain initial access to a victim network the treat actor used fake “Advanced IP Scanner” software spread via bogus websites mimicking official sites that, in reality, downloaded the Vidar stealer, which steals the victim's Telegram session data to take control of their account.
The attackers then abused the victim’s Telegram account to steal VPN connection data (authentication and certificates) and used VPN connection to break into the corporate network (if the victim’s VPN account is not protected by two-factor authentication).
Once in the network, the hackers used a variety of tools, such as Netscan, Cobalt Strike Beacon, Anydesk, Ngrok, and Rсlon to conduct reconnaissance and exfiltrate data.
CERT-UA said that UAC-0118 has been targeting organizations in Ukraine since the spring of 2022. The agency also noted the Somnia ransomware went through some modifications, with the latest samples using the AES algorithm, whereas the previous versions relied on 3DES. It appears that the decryption function was also removed from the latest version, essentially turning the malware into a tool of destruction, rather than a way to earn money.