In Ukraine, the Russian offensive continues to play out in cyberspace. Latest attack, that of the group “From Russia with Love”. Ukraine’s Cybersecurity Incident Response Team, or CERT-UA, has reported a new attack on organizations in the country in recent days.
Unable to decrypt data
In note released on November 11, authorities say several business computers have been targeted by a particularly vicious ransomware. Named “Somnia”, the malware created by the Russian group encrypts the files of its host with a small subtlety: it is impossible to decrypt them.
The group “From Russia with Love” boasted in August in a message Telegram to have removed the function allowing to restore the data. “We removed the function of decryption, now the process is irreversible and the encryption algorithm is crazy”had launched the group, evoking a position once morest Ukraine and the “diable Zelensky”.
A well-established infection process
To successfully install their ransomware, the hackers used a fairly simple infection process. A virus named “Vidar” was hidden in a perfect copy of Advanced IP Scanner network software. Program downloaded by one of the employees. However, the Vidar malware is known to steal the login credentials present on a computer. The hackers were thus able to recover the account’s Telegram login data. Since double authentication was not activated, access was a breeze.
For some reason, the hackers were then able to recover access to the company’s VPN and take possession of the machines remotely. It was at this stage that the Somnia ransomware might be implanted on a machine in the internal network. According to the kyiv authorities, company data may have been exfiltrated. The attack would have affected conventional computers, but also automated systems.
As our colleagues fromIT Canada, these attacks are the result of two errors: the downloading of compromised software by an employee and the absence of double authentication on Telegram and, even more seriously, on the VPN of the company. Future attacks of the same type should now be able to be anticipated by the country’s corporate cyber managers.
