Ransomware - RansomBoggs

RansomBoggs
Aliases
Sullivan
Decryptor Available
No
Description

RansomBoggs is also known by its alias, Sullivan, because the ransom note uses Monsters Inc. themes, claiming the encryption event was performed by no other than James P. Sullivan. Additionally, the contact information includes Monsters Inc. references, and the ransom note is titled SullivanDecryptsYourFiles.txt. Aside from that, RansomBoggs is a traditional crypto-ransomware that encrypts files using AES-256-CBC and encrypts the resulting key with RSA-2048 encryption (the ransom note claims it's AES-128, but it's AES-256-CBC). However, ESET researchers who discovered this variant attribute it to the Sandworm group, which is further attributed to the Russian GRU. The group used this variant, along with many others, in the conflict against Ukraine in late 2022.

Ransom note picture derived from ESET

Ransomware Type
Crypto-Ransomware
Country of Origin
Russia
First Seen
Last Seen
Threat Actors
Type
Actor
APT
Sandworm
Extortion Types
Direct Extortion
Pseudo-Extortion
Communication
Medium
Identifier
Telegram
Tox
Encryption
Type
Hybrid
Files
AES-256-CBC
Key
RSA-2048
File Extension
<file name>.chsch
Ransom Note Name
SullivanDecryptsYourFiles.txt
Ransom Note Image
Samples (SHA-256)
78dcf144e82e947c20f152a8a57376b43e7aac3fee4bf1d18d22d4c14b25e56f
a490d03e780a6b664da65e20afa7845c6f79af60b6a496ff113bf9e9034e77d0