Multiple organizations in Ukraine have been hit with a wave of attacks deploying a new ransomware strain called “RansomBoggs.” Researchers with cybersecurity firm ESET, who first detected the attacks, linked this new campaign to Sandworm, a Russia-based state-backed threat actor, which has been increasingly targeting Ukrainian entities since the start of the Russia’s invasion of the country.
First spotted on November 21, the RansomBoggs malware is written in .NET, and its “deployment is similar to previous attacks attributed to Sandworm,” ESET wrote in a series of tweets.
In October, Microsoft detected a similar campaign using a never-before-seen ransomware strain called “Prestige” that targeted organizations in the transportation and related logistics industries in Ukraine and Poland. The company linked the new malware to a threat cluster it is tracking as Iridium (DEV-0960) believed to have connection to the Sandworm group.
ESET says they discovered links between RansomBoggs and previous Sandworm malware deployed against Ukrainian targets, such as ArguePatch, CaddyWiper, and Industroyer2. Some findings suggest RansomBoggs may be another data wiper disguised as ransomware.