Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomwareUsed by 1 actor

RansomBoggs

RansomBoggs is a .NET ransomware family identified by ESET in Ukraine in November 2022. Reporting places it within Sandworm-linked disruptive operations against Ukraine, and ESET detected a wave of RansomBoggs attacks in Ukraine that were also linked to Sandworm. ESET stated that the malware was deployed using POWERGAP scripts and, in the broader campaign context, Sandworm commonly used Active Directory Group Policy for deployment, implying likely compromise of the victim Active Directory environment in related incidents. RansomBoggs is described in the source material as part of the set of destructive or faux-ransomware/wiper-style attacks used against Ukrainian targets during 2022, alongside families such as CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, Prestige, WhisperGate, and ZeroWipe. High-confidence details directly supported by the content are limited: it is new ransomware written in .NET, observed in Ukraine, associated with Sandworm, and distributed via the same POWERGAP deployment scripting seen in other Sandworm disruptive operations. The provided content does not include specific encryption behavior, ransom note details, persistence mechanisms, or file/network indicators for RansomBoggs.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Sandworm

Two months ago, ESET detected a wave of RansomBoggs ransomware attacks in the war-torn country that were also linked to Sandworm.

via eset welivesecurity blogwelivesecurity.com
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
security affairsNews
Jan 26, 2026
Russia-linked Sandworm APT implicated in major cyber attack on Poland’s power grid - Security Affairs

Destructive wiper (despite the name) listed among wipers used in 2022 attacks.

Read more
security affairsNews
Jan 26, 2026
Russia-linked Sandworm APT implicated in major cyber attack on Poland’s power grid - Security Affairs

Wiper malware referenced as used in 2022 attacks aimed at Ukraine.

Read more
securityaffairsNews
Oct 29, 2025
Russian hackers, likely linked to Sandworm, exploit legitimate tools against Ukrainian targets

Malware referenced as used in 2022 attacks targeting Ukraine; despite the name, it is listed in the content among wipers.

Read more
eset welivesecurity blogNews
Jan 27, 2023
SwiftSlicer: New destructive wiper malware strikes Ukraine

Ransomware used in attacks in Ukraine and linked to Sandworm.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.