Ukrainian organizations attacked with novel RansomBoggs ransomware

Numerous Ukrainian organizations have been compromised by a wave of attacks using the novel .NET-based RansomBoggs ransomware strain, which resembled prior attacks by the Russian state-sponsored threat operation Sandworm, reports The Hacker News. Initially discovered by ESET researchers on Nov. 21, RansomBoggs attacks involved a PowerShell script that enabled ransomware distribution, a process that is nearly identical to the process leveraged in April's Industroyer2 malware attacks, which involved the use of the POWERGAP PowerShell script to enable CaddyWiper malware delivery through the ArguePatch loader. RansomBoggs generates random keys, leverages AES-256 in CBC mode for file encryption, and adds the ".chsch" extension to encrypted files, according to ESET. Sandworm-linked threat operation Iridium was recently linked by Microsoft to Prestige ransomware attacks against Ukrainian and Polish transportation and logistics firms last month. Moreover, Sandworm has also been associated with the 2017 NotPetya cyberattacks targeted at healthcare providers, as well as the 2015 and 2016 cyberattacks against Ukraine's power grid.