FortiGuard Labs is aware of a report that a new ransomware “Somnia” was observed in attacks against Ukraine. Somnia ransomware was deployed as a final payload in multiple staged attacks involving a fake IP scanner, Vidar stealer, and Cobalt Strike. The attack was attributed to FRwL (aka Z-Team, UAC-0118).Why is this Significant?This is significant because Somnia is the latest ransomware that reportedly targets Ukrainian interests. Other ransomware variants that previously targeted Ukraine include are but not restricted to Prestige, AcidRain, DoubleZero, CaddyWiper, IssacWiper, HermeticWiper, and WhisperGate.How was Somnia Ransomware Distributed?Somnia ransomware was reportedly distributed in an attack chain that goes through multiple stages. First, the attacker creates a fake Advanced IP Scanner Web site in an attempt to trick Ukrainian organizations into downloading and installing Vidar stealer disguised as “Advanced IP Scanner” installer. Once a victim’s machine is compromised by Vidar stealer, it tries to steal Telegram’s session data, which is then used to compromise VPN connections giving the attacker access to the victim’s network. Cobalt Strike was seen deployed to the compromised network. Reportedly Rсlone, Anydesk, and Ngrok were observed for data exfiltration. Finally, Somnia ransomware deployed to encrypt files on the compromised machines.What is Somnia Ransomware?Somnia is a ransomware that encrypts files on compromised machines. According to CERT-UA, there are two different types of Somnia ransomware; the one uses 3DES algorithm for file encryption and the other uses the AES algorithm. The affected files have a “.somnia” file extension.Somnia ransomware targets and encrypts files with the following extensions:File extensions targeted by Somnia ransomware (screenshot taken from a CERT-UA report)Since Somnia ransomware does not drop any ransom note and attacker’s contact information, victims will likely will not be able to decrypt the encrypted files.What is the Status of Protection?While Somnia ransomware samples are not publicly available, FortiGuard Labs detect the fake Advanced IP Scanner used as initial infection vector with the following AV signature:• W32/PossibleThreatReported network IOCs are blocked by Webfiltering.
More Stories
USN-6968-2: PostgreSQL vulnerability
USN-6968-1 fixed CVE-2024-7348 in PostgreSQL-12, PostgreSQL-14, and PostgreSQL-16 This update provides the corresponding updates for PostgreSQL-9.5 in Ubuntu 16.04 LTS....
USN-7015-2: Python vulnerabilities
USN-7015-1 fixed several vulnerabilities in Python. This update provides one of the corresponding updates for python2.7 for Ubuntu 16.04 LTS,...
USN-7027-1: Emacs vulnerabilities
It was discovered that Emacs incorrectly handled input sanitization. An attacker could possibly use this issue to execute arbitrary commands....
USN-7024-1: tgt vulnerability
It was discovered that tgt attempts to achieve entropy by calling rand without srand. The PRNG seed is always 1,...
helix-24.07-2.fc42 rust-cargo-0.79.0-4.fc42 rust-cargo-deny-0.14.24-3.fc42 rust-dua-cli-2.29.2-1.fc42 rust-gix-0.66.0-1.fc42 rust-gix-actor-0.32.0-1.fc42 rust-gix-archive-0.15.0-1.fc42 rust-gix-attributes-0.22.5-1.fc42 rust-gix-command-0.3.9-1.fc42 rust-gix-commitgraph-0.24.3-1.fc42 rust-gix-config-0.40.0-1.fc42 rust-gix-config-value-0.14.8-1.fc42 rust-gix-credentials-0.24.5-1.fc42 rust-gix-date-0.9.0-1.fc42 rust-gix-diff-0.46.0-1.fc42 rust-gix-dir-0.8.0-1.fc42 rust-gix-discover-0.35.0-1.fc42 rust-gix-features-0.38.2-3.fc42 rust-gix-filter-0.13.0-1.fc42 rust-gix-fs-0.11.3-1.fc42 rust-gix-glob-0.16.5-1.fc42 rust-gix-ignore-0.11.4-1.fc42 rust-gix-index-0.35.0-1.fc42 rust-gix-mailmap-0.24.0-1.fc42 rust-gix-negotiate-0.15.0-1.fc42 rust-gix-object-0.44.0-1.fc42 rust-gix-odb-0.63.0-1.fc42 rust-gix-pack-0.53.0-1.fc42 rust-gix-packetline-0.17.6-1.fc42 rust-gix-packetline-blocking-0.17.5-1.fc42 rust-gix-path-0.10.11-1.fc42 rust-gix-pathspec-0.7.7-1.fc42 rust-gix-prompt-0.8.7-1.fc42 rust-gix-protocol-0.45.3-1.fc42 rust-gix-ref-0.47.0-1.fc42 rust-gix-refspec-0.25.0-1.fc42 rust-gix-revision-0.29.0-1.fc42 rust-gix-revwalk-0.15.0-1.fc42 rust-gix-sec-0.10.8-1.fc42 rust-gix-status-0.13.0-1.fc42 rust-gix-submodule-0.14.0-1.fc42 rust-gix-tempfile-14.0.2-1.fc42 rust-gix-trace-0.1.10-1.fc42 rust-gix-transport-0.42.3-1.fc42 rust-gix-traverse-0.41.0-1.fc42 rust-gix-url-0.27.5-1.fc42 rust-gix-validate-0.9.0-1.fc42 rust-gix-worktree-0.36.0-1.fc42 rust-gix-worktree-state-0.13.0-1.fc42 rust-gix-worktree-stream-0.15.0-1.fc42 rust-onefetch-2.21.0-4.fc42 rust-prodash-29.0.0-1.fc42 rust-rustsec-0.29.3-3.fc42 rust-tame-index-0.12.0-3.fc42 rust-vergen-8.3.1-4.fc42 stgit-2.4.12-1.fc42
FEDORA-2024-1b3089c689 Packages in this update: helix-24.07-2.fc42 rust-cargo-0.79.0-4.fc42 rust-cargo-deny-0.14.24-3.fc42 rust-dua-cli-2.29.2-1.fc42 rust-gix-0.66.0-1.fc42 rust-gix-actor-0.32.0-1.fc42 rust-gix-archive-0.15.0-1.fc42 rust-gix-attributes-0.22.5-1.fc42 rust-gix-command-0.3.9-1.fc42 rust-gix-commitgraph-0.24.3-1.fc42 rust-gix-config-0.40.0-1.fc42 rust-gix-config-value-0.14.8-1.fc42 rust-gix-credentials-0.24.5-1.fc42 rust-gix-date-0.9.0-1.fc42 rust-gix-diff-0.46.0-1.fc42...
USN-7025-1: LibreOffice vulnerability
It was discovered that LibreOffice would incorrectly handle digital signature verification after repairing a corrupted document. A remote attacker could...