View All R&D Articles

Russian Hackers Weaponize Ransomware in War with Ukraine

November 14, 2022

According to the Computer Emergency Response Team of Ukraine (CERT-UA), Russian hackers have used a new malware strain, “Somnia,” to disable information technology (IT) systems in Ukraine.

While the government of Ukraine has not confirmed the success of the attack, Somnia operates similarly to common ransomware: It encrypts files, preventing them from being usable and appending their file names with an identifiable file extension (in this case, .somnia). 

However, the weaponized version of Somnia does not offer the ability to decrypt the target files by paying a ransom. For that reason, it’s technically not “ransomware;” a more accurate description would be “encrypting malware.”  

The creators of Somnia have used the names “From Russia with Love” (FRwL) or “Z-Team,” according to a report from Bleeping Computer. The group also claims that Somnia allows them to perform surveillance of Ukrainian operations, though the targets of the Somnia attacks have been private corporations. Z-Team’s goal is to disable key Ukrainian infrastructure to support the Russian invasion. 

The Somnia malware infects computers using a traditional approach.

Russia flag with ransomware skull superimposedWhat’s notable about the attack — other than its obvious international importance — is that Somnia uses the same vectors for infiltration as other common ransomware variants. 

CERT-UA claims that the hacking group operates fake websites offering “Advanced IP Scanner” software downloads. When an employee downloads the installer, the executable steals the victim’s Telegram session data, then targets VPN connection data. 

Of course, if a Ukrainian organization uses two-factor authentication (2FA) to protect VPN data, the attack fails — but many organizations fail to implement 2FA on key systems. 

The latest version of the malware also uses AES-algorithm encryption, rather than the 3DES encryption used in other Somnia attacks. AES is thought to be more secure than 3DES (and more difficult to break). 3DES essentially runs the older DES algorithm three times to the information being encrypted, which is a time-consuming approach; AES is considered unbreakable, while 3DES is potentially breakable depending on its implementation. 

Related: Ransomware Attack Data Recovery: 4 Factors to Consider

Malware and Ransomware Protection: Key Factors

Ultimately, the latest Somnia attacks aren’t especially elegant or complex. The malware uses standard attack vectors, implements standard encryption, and targets the same types of data as other types of malware — but because Somnia was developed to aid Russian efforts, it’s a notable escalation in cyberwarfare. 

All organizations can be potential targets for malware and ransomware. Following the standard practices of data security can limit the chances of a successful attack:

  • Use two-factor authentication wherever possible. 
  • Choose secure, unique passwords.
  • Provide employees with sufficient cybersecurity training. Have strong policies preventing employees from opening emails from unknown sources, downloading files (including email attachments), or visiting unsecured websites.
  • Backup all data and ensure that key systems can be restored while minimizing data loss. 
  • Have a plan in place for responding to a ransomware or malware attack. Disconnect key systems as soon as the attack has been identified and do not attempt recovery without expert assistance.
  • Limit account privileges wherever possible. Do not provide administrative access to users who do not absolutely need it, and regularly review privileged user activities.
  • Engage in penetration testing (PEN testing) and consider hiring third-party experts to monitor potential threats.

At, we’ve helped thousands of organizations recover from data loss and implement strong cybersecurity practices. To learn more about PEN testing, cyber threat monitoring, and ransomware recovery, call us at 1-800-237-4200 or click here to start a case online.