One of Ukraine's cybersecurity bodies has reported that Russia is using a new type of Ransomware strain, called “Somnia”, to attack their systems and create operational gridlock.
The technique relies on victim organizations not having two-factor authentication enabled on their business VPN accounts, which are then used to gain access to their wider network.
Unusually, the ransomware is designed to disrupt key Ukrainian organizations, rather than hold data hostage for a price. But once the war abates, who knows where hacking groups – with weapons like this – will turn their attention.
The National Computer Emergency Response Team for Ukraine (CERT-UA) has now reported several attacks involving Somnia ransomware.
Z-Team, the Russian-associated hacking group thought to be responsible for the proliferation of the strain, has detailed how they used the ransomware to Ukrainian attack tank manufacturers on the encrypted messaging app Telegram (where they go by an alternate moniker, “From Russia with Love” (FRwL)).
The attack is the most recent development in the cyber war that has been raging alongside its ground and air invasion of Ukrainian territory, which began in February 2022.
How does Somnia work?
The hacking group has mocked up fake sites that purport to provide free, downloadable IP scanners, but instead, load malicious programs onto unsuspecting victims’ devices.
This is used to subsume control telegram accounts, which in turn are used to gain VPN access (unless the user’s account is protected by two-factor authentication) and subsequently the entire network they’re operating on.
One Cobalt Strike beacon later, and the exfiltration of data and remote access to the network begins.
These attacks have been going on since the spring of this year, but Somnia’s attacks have morphed from relying on the symmetric 3DES key block cipher, whereas they now rely on the Advanced Encryption Standard (AES).
Cyberattacks Only Getting Worse
Seeing new strains of ransomware being rolled out during periods of warfare should send a stark warning to businesses about the rapid evolution and ever-presentness of cyber threats.
Data breaches are an almost daily occurrence now, and ransomware attacks are often financially fatal for companies, particularly small businesses, who are the most at-risk demographic when it comes to cyberattacks.
As with many attacks, they rely upon human error in the present (mistaking a fake website for a real one) and human error in the past (not activating two-factor authentication on a business VPN account).
That’s why training staff to spot the tell tale signs of cyber attacks is so important, while continuously re-enforcing the importance of multi-factor authentication, and using strong, unique passwords.