A group named Crypt Ghouls has been identified as responsible for a series of ransomware attacks targeting Russian businesses and government organizations. Their main objectives are to disrupt operations and profit financially.
Kaspersky recently reported that this group uses tools like Mimikatz, XenAllPasswordPro, PingCastle, Localtonet, resocks, AnyDesk, PsExec, and others in their attacks, with LockBit 3.0 and Babuk being the ransomware used as the final payload.
The victims of these attacks include government agencies, as well as companies in mining, energy, finance, and retail sectors located in Russia.
Initial intrusions were traced back to contractor login credentials being used to access internal systems through VPN connections. These connections were made from IP addresses associated with a Russian hosting provider and a contractor’s network, aiming to maintain stealth by exploiting trusted relationships.
The attacks involve a series of tools and utilities such as XenAllPasswordPro, CobInt, Mimikatz, dumper.ps1, MiniDump, cmd.exe, PingCastle, PAExec, AnyDesk, and resocks SOCKS5 proxy.
The attacks conclude with the encryption of system data using LockBit 3.0 for Windows and Babuk for Linux/ESXi, along with the encryption of data in the Recycle Bin to prevent recovery.
After encrypting the data, the attackers leave a ransom note for future communication, connecting to the ESXi server via SSH to initiate the encryption process for files within virtual machines.
These attacks by Crypt Ghouls resemble similar campaigns by other threat groups targeting Russia recently, including MorLock, BlackJack, Twelve, and Shedding Zmiy (ExCobalt).
Kaspersky noted the use of shared tools in these attacks, complicating the effort to identify the specific hacktivist groups involved and suggesting a collaboration among cybercriminals in exploiting compromised credentials and open-source tools.
This collaboration makes it challenging to pinpoint the malicious actors behind the attacks on Russian organizations, as they are not only sharing knowledge but also their toolkits.
