New Somnia ransomware targets Ukrainian orgs

New Somnia ransomware targets Ukrainian orgs

The Computer Emergency Response Team of Ukraine (CERT-UA) released details regarding recent attacks that targeted organizations in the country with a new ransomware strain called “Somnia.”

The agency attributed the attacks to a Russia-linked hacker group FRwL (aka Z-Team), which it tracks as UAC-0118. To gain initial access to a victim network the treat actor used fake “Advanced IP Scanner” software spread via bogus websites mimicking official sites that, in reality, downloaded the Vidar stealer, which steals the victim's Telegram session data to take control of their account.

The attackers then abused the victim’s Telegram account to steal VPN connection data (authentication and certificates) and used VPN connection to break into the corporate network (if the victim’s VPN account is not protected by two-factor authentication).

Once in the network, the hackers used a variety of tools, such as Netscan, Cobalt Strike Beacon, Anydesk, Ngrok, and Rсlon to conduct reconnaissance and exfiltrate data.

CERT-UA said that UAC-0118 has been targeting organizations in Ukraine since the spring of 2022. The agency also noted the Somnia ransomware went through some modifications, with the latest samples using the AES algorithm, whereas the previous versions relied on 3DES. It appears that the decryption function was also removed from the latest version, essentially turning the malware into a tool of destruction, rather than a way to earn money.

Back to the list

Latest Posts

Hacker targets GitHub users with trojanized code laced with backdoors

Hacker targets GitHub users with trojanized code laced with backdoors

The GitHub account ‘ischhfd83,’ which published Sakura RAT, was linked to a broader malware distribution network spanning 141 repos.
4 June 2025
New malware campaign exploits fake Gitcode and DocuSign sites to deliver NetSupport RAT

New malware campaign exploits fake Gitcode and DocuSign sites to deliver NetSupport RAT

Some of the fake DocuSign pages deploy a deceptive CAPTCHA verification process.
4 June 2025
Coinbase data breach linked to bribed Indian support staff at TaskUs

Coinbase data breach linked to bribed Indian support staff at TaskUs

The breach came to light when a TaskUs employee was caught photographing her computer screen with a personal device.
4 June 2025