Monster ransomware attack against Ukrainian companies by the Sandworm group

Researchers from ESET revealed their findings on their discovery of RansomBoggs inside the networks of “several organizations in Ukraine” in a thread that was posted on Twitter. Although there are significant differences between RansomBoggs and the malware that has been associated with Sandworm, such as the fact that the code for the virus is written in.NET, the researchers stated that the techniques of dissemination are quite similar. RansomBoggs is the name that experts at the Slovakian software firm ESET have given to the ransomware that is being used in the latest attack on companies in Ukraine that have been launched by the Russian criminal group Sandworm.

According to the report, “a PowerShell script used to disseminate the.NET ransomware from the domain controller is almost identical to the one observed last April during the #Industroyer2 attacks against the energy industry,” which can be traced back to Sandworm.

Sandworm is believed to have been involved in the creation of the ransomware known as NotPetya in 2017, and it has been operating since at least the 1990s. It has been tied to Unit 74455 of the GRU, which is Russia’s military intelligence unit.

The organization attacked Ukraine during Russia’s invasion and subsequent seizure of Crimea in 2014, and it has been active ever since Russia started its most recent unlawful war on Ukraine. In both of those instances, Russia violated international law.

In April, the United States government offered a reward of ten million dollars to anyone who could provide information on six Russian GRU officers who were linked to Sandworm. The Russian GRU officers were accused of planning to carry out cyber attacks against critical infrastructure in the United States.

According to ESET, the payload of the malware is delivered into the organization’s network by means of the PowerShell script known as PowerGap by the Computer Emergency Response Team in Ukraine. PowerGap was also used in attacks in Ukraine in March to deliver the CaddyWiper malware by making use of the ArguePatch loader.

Sandworm gives its deadly attacks a humorous twist by using RansomBoggs, which make allusions to the Monsters, Inc. animated film that was released in 2001 by Pixar. “Dear human life form!” is written in the ransom message, and the perpetrators name themselves as “James P. Sullivan, an employee of Monsters, Inc.” James P. Sullivan is the name of the monster that stars as the main protagonist in the film. He has green and blue fur.

According to the researchers from ESET, the name of the note is SullivanDecryptsYourFiles.txt, the name of the executable is likewise Sullivan, and references to the film can also be found in the malware’s code. In addition, the victims are given the instruction to respond to the perpetrators of the attack via the email address m0nsters-inc@proton.

Although the message claims that it utilizes AES-128, the ransomware produces a random key that is encrypted using RSA, and it encrypts files using AES-256 in CBC mode. It also adds a.chsch suffix to files that have been encrypted after they have been saved.

The RSA public key may either be hardcoded into the malware sample itself or given as an input, depending on the form of the malicious software.
Sandworm, which Microsoft refers to as Iridium, launched the Prestige ransomware attack in October against the transportation and logistics industries in Ukraine and Poland. This campaign was reported by the cyber security company Recorded Future in August and targeted Ukrainian organizations by masquerading as Ukrainian telecommunications service providers. More recently, Sandworm was the mastermind behind a malware campaign in August that targeted Ukrainian organizations by masquerading as Ukrainian telecommunications service providers.