Russian Hackers Unleash New “Ransom-less” Ransomware

Ukraine's cybersecurity response team has seen the attack multiple times, but the goal appears to be disruption, not profit.
Aaron Drapkin

One of Ukraine's cybersecurity bodies has reported that Russia is using a new type of Ransomware strain, called “Somnia”, to attack their systems and create operational gridlock.

The technique relies on victim organizations not having two-factor authentication enabled on their business VPN accounts, which are then used to gain access to their wider network.

Unusually, the ransomware is designed to disrupt key Ukrainian organizations, rather than hold data hostage for a price. But once the war abates, who knows where hacking groups – with weapons like this – will turn their attention.

Somnia Strikes

The National Computer Emergency Response Team for Ukraine (CERT-UA) has now reported several attacks involving Somnia ransomware.

Z-Team, the Russian-associated hacking group thought to be responsible for the proliferation of the strain, has detailed how they used the ransomware to Ukrainian attack tank manufacturers on the encrypted messaging app Telegram (where they go by an alternate moniker, “From Russia with Love” (FRwL)).

The attack is the most recent development in the cyber war that has been raging alongside its ground and air invasion of Ukrainian territory, which began in February 2022.

How does Somnia work?

The hacking group has mocked up fake sites that purport to provide free, downloadable IP scanners, but instead, load malicious programs onto unsuspecting victims’ devices.

This is used to subsume control telegram accounts, which in turn are used to gain VPN access (unless the user’s account is protected by two-factor authentication) and subsequently the entire network they’re operating on.

One Cobalt Strike beacon later, and the exfiltration of data and remote access to the network begins.

These attacks have been going on since the spring of this year, but Somnia’s attacks have morphed from relying on the symmetric 3DES key block cipher, whereas they now rely on the Advanced Encryption Standard (AES).

Cyberattacks Only Getting Worse

Seeing new strains of ransomware being rolled out during periods of warfare should send a stark warning to businesses about the rapid evolution and ever-presentness of cyber threats.

Data breaches are an almost daily occurrence now, and ransomware attacks are often financially fatal for companies, particularly small businesses, who are the most at-risk demographic when it comes to cyberattacks.

As with many attacks, they rely upon human error in the present (mistaking a fake website for a real one) and human error in the past (not activating two-factor authentication on a business VPN account).

That’s why training staff to spot the tell tale signs of cyber attacks is so important, while continuously re-enforcing the importance of multi-factor authentication, and using strong, unique passwords.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Aaron Drapkin is a Senior Writer at Tech.co. He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol three years ago. As a writer, Aaron takes a special interest in VPNs and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, The Week, and Politics.co.uk covering a wide range of topics.

Explore More See all news
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals