{
	"id": "7ace9b58-2fd3-4282-ac65-17192120e8ba",
	"created_at": "2026-04-06T00:21:33.333964Z",
	"updated_at": "2026-04-10T03:30:30.594317Z",
	"deleted_at": null,
	"sha1_hash": "d2a42bd66dbf2dfa4e2eade1ff35ed98609abdc5",
	"title": "RansomBoggs: New ransomware targeting Ukraine",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 448809,
	"plain_text": "RansomBoggs: New ransomware targeting Ukraine\r\nBy Editor\r\nArchived: 2026-04-05 22:53:43 UTC\r\nUkraine Crisis – Digital Security Resource Center\r\nESET researchers spot a new ransomware campaign that goes after Ukrainian organizations and has Sandworm's\r\nfingerprints all over it\r\n28 Nov 2022  •  , 2 min. read\r\nThe ESET research team has spotted a new wave of ransomware attacks taking aim at multiple organizations in\r\nUkraine and bearing the hallmarks of other campaigns previously unleashed by the Sandworm APT group.\r\nEven though the ransomware – called RansomBoggs by ESET and written in the .NET framework – is new,\r\nparticularly the way it is deployed bears close resemblance to some past attacks attributed to the notorious threat\r\nactor.\r\nESET has alerted Ukraine's Computer Emergency Response Team (CERT-UA) about the RansomBoggs\r\nonslaughts, which were first detected on November 21st. Depending on the variant, RansomBoggs is detected by\r\nESET products as MSIL/Filecoder.Sullivan.A and MSIL/Filecoder.RansomBoggs.A.\r\nRansomBoggs at a glance\r\nhttps://www.welivesecurity.com/2022/11/28/ransomboggs-new-ransomware-ukraine/\r\nPage 1 of 3\n\nRansomBoggs ransom note\r\nIn the ransom note seen above (SullivanDecryptsYourFiles.txt), the authors of RansomBoggs make multiple\r\nreferences to the Monsters Inc. movie, including by impersonating James P. Sullivan, the movie's main\r\nprotagonist.\r\nOnce unleashed, the new ransomware \"generates a random key and encrypts files using AES-256 in CBC mode\" –\r\nnot the AES key length of 128 bits mentioned in the ransom note. It then appends the .chsch extension to the\r\nencrypted files.\r\n\"The key is then RSA encrypted and written to aes.bin,\" said ESET researchers. Depending on the variant, the\r\nRSA public key is either hardcoded in the malware sample itself or provided as argument.\r\nAs for similarities with other onslaughts by Sandworm, the PowerShell script used to distribute RansomBoggs\r\nfrom the domain controller is almost identical to the one used in Industroyer2 attacks against Ukraine's energy\r\nsector in April of this year. The same script was used to deliver data-wiping malware called CaddyWiper that\r\nleveraged the ArguePatch loader and hit several dozen systems in a limited number of organizations in Ukraine in\r\nMarch.\r\nUkraine under fire\r\nhttps://www.welivesecurity.com/2022/11/28/ransomboggs-new-ransomware-ukraine/\r\nPage 2 of 3\n\nSandworm has a long track record of being behind some of the world’s most disruptive cyberattacks of the past\r\nnear-decade. It last entered the spotlight just weeks ago after it was fingered by Microsoft as being behind\r\nransomware called “Prestige” that hit several logistics companies in Ukraine and Poland in early October.\r\nThe aforementioned attacks do by no means give the full picture of the various threats that high-profile Ukrainian\r\norganizations have had to weather this year alone. For example, back on February 23rd, just hours before Russia\r\ninvaded Ukraine, ESET telemetry picked up HermeticWiper on the networks of several Ukrainian organizations.\r\nThe next day, a second destructive attack against a Ukrainian governmental network started, this time delivering\r\nIsaacWiper.\r\nIndeed, Ukraine has been on the receiving end of a number of highly disruptive cyberattacks by Sandworm since\r\nat least 2014, including BlackEnergy, GreyEnergy and the first iteration of Industroyer. The group was also behind\r\nthe NotPetya attack that swept through many corporate networks in Ukraine in June 2017 before spreading like\r\nwildfire globally and wreaking havoc in many organizations worldwide.\r\nFurther resources:\r\nESET Research webinar: How APT groups have turned Ukraine into a cyber‑battlefield\r\nESET APT Activity Report T2 2022\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2022/11/28/ransomboggs-new-ransomware-ukraine/\r\nhttps://www.welivesecurity.com/2022/11/28/ransomboggs-new-ransomware-ukraine/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.welivesecurity.com/2022/11/28/ransomboggs-new-ransomware-ukraine/"
	],
	"report_names": [
		"ransomboggs-new-ransomware-ukraine"
	],
	"threat_actors": [
		{
			"id": "4d9cdc7f-72d6-4e17-89d8-f6323bfcaebb",
			"created_at": "2023-01-06T13:46:38.82716Z",
			"updated_at": "2026-04-10T02:00:03.113893Z",
			"deleted_at": null,
			"main_name": "GreyEnergy",
			"aliases": [],
			"source_name": "MISPGALAXY:GreyEnergy",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7bd810cb-d674-4763-86eb-2cc182d24ea0",
			"created_at": "2022-10-25T16:07:24.1537Z",
			"updated_at": "2026-04-10T02:00:04.883793Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"APT 44",
				"ATK 14",
				"BE2",
				"Blue Echidna",
				"CTG-7263",
				"FROZENBARENTS",
				"G0034",
				"Grey Tornado",
				"IRIDIUM",
				"Iron Viking",
				"Quedagh",
				"Razing Ursa",
				"Sandworm",
				"Sandworm Team",
				"Seashell Blizzard",
				"TEMP.Noble",
				"UAC-0082",
				"UAC-0113",
				"UAC-0125",
				"UAC-0133",
				"Voodoo Bear"
			],
			"source_name": "ETDA:Sandworm Team",
			"tools": [
				"AWFULSHRED",
				"ArguePatch",
				"BIASBOAT",
				"Black Energy",
				"BlackEnergy",
				"CaddyWiper",
				"Colibri Loader",
				"Cyclops Blink",
				"CyclopsBlink",
				"DCRat",
				"DarkCrystal RAT",
				"Fobushell",
				"GOSSIPFLOW",
				"Gcat",
				"IcyWell",
				"Industroyer2",
				"JaguarBlade",
				"JuicyPotato",
				"Kapeka",
				"KillDisk.NCX",
				"LOADGRIP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ORCSHRED",
				"P.A.S.",
				"PassKillDisk",
				"Pitvotnacci",
				"PsList",
				"QUEUESEED",
				"RansomBoggs",
				"RottenPotato",
				"SOLOSHRED",
				"SwiftSlicer",
				"VPNFilter",
				"Warzone",
				"Warzone RAT",
				"Weevly"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434893,
	"ts_updated_at": 1775791830,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d2a42bd66dbf2dfa4e2eade1ff35ed98609abdc5.pdf",
		"text": "https://archive.orkl.eu/d2a42bd66dbf2dfa4e2eade1ff35ed98609abdc5.txt",
		"img": "https://archive.orkl.eu/d2a42bd66dbf2dfa4e2eade1ff35ed98609abdc5.jpg"
	}
}