Ukrainian organizations hit by Russian Somnia ransomware attacks

BleepingComputer reports that numerous organizations in Ukraine are having their systems encrypted with the novel Somnia ransomware, which has been attributed by the Computer Emergency Response Team of Ukraine to Russian hacktivist operation From Russia with Love, also known as Z-Team and UAC-0118. Fraudulent websites impersonating the "Advanced IP scanner" software are being leveraged by FRwL in a bid to lure installer downloads among Ukrainian organization employees, with the installer facilitating Vidar stealer infections, according to CERT-UA. Exfiltration of targets' Telegram session data will be followed by the exploitation of Telegram accounts to enable VPN connection data theft. Attackers then proceed with Cobalt Strike delivery before they conduct data exfiltration and then leverage Anydesk, Ngrok, Rclone, and Netscan for remote access and surveillance efforts. Such an approach was leveraged to deploy the Somnia ransomware, which targets archives, documents, images, video files, databases, and images. With Somnia ransomware not seeking ransom payments, BleepingComputer notes that it should be regarded as a data wiper instead.