Ransomware - Somnia

Somnia
Decryptor Available
No
Description

Little is known about Somnia besides what the Computer Emergency Response Team of Ukraine (CERT-UA) divulged. Based on their report, the ransomware targeted Ukrainian entities. It was meant for destructive purposes (wiper) and created by From Russia with Love (FRwL) (AKA: Z-Team). The report included minor technical information such as the file extension (.somnia) and encryption type - 3DES and AES-256-CBC. We also noted three sample hashes but no actual tangible samples to analyze. Aside from the payload itself, the FRwL group created a trojanized version of Advanced IP Scanner with Vidar Stealer and stole Telegram credentials from victims who downloaded and ran the trojan. From there, they gained access to corporate networks and used common tools to pivot within the network and exfiltrate data before deploying the final Somnia payload.

Ransomware Type
Crypto-Ransomware
Wiper
Country of Origin
Russia
First Seen
Last Seen
Threat Actors
Media type
Actor
Cybergroup
From Russia with Love (FRwL)
Extortion Types
Pseudo-Extortion
Encryption
Type
Symmetric
Files
3DES, AES-256-CBC
File Extension
<file name>.somnia
Samples (SHA-256)
156965227cbeeb0e387cb83adb93ccb3225f598136a43f7f60974591c12fafcf
ac5e68c15f5094cc6efb8d25e1b2eb13d1b38b104f31e1c76ce472537d715e08
e449c28e658bafb7e32c89b07ddee36cadeddfc77f17dd1be801b134a6857aa9