A newly emerging threat group known as Crypt Ghouls has been associated with a series of cyber attacks against Russian businesses and government entities, utilizing ransomware to achieve both disruption of operations and financial profit.
“The group in question possesses a toolkit that features utilities such as Mimikatz, XenAllPasswordPro, PingCastle, Localtonet, resocks, AnyDesk, PsExec, among others,” Kaspersky stated. “For their final payload, the group employed the well-known ransomware LockBit 3.0 and Babuk.”
The targets of these cyber attacks include government agencies as well as companies in the mining, energy, finance, and retail sectors within Russia.
The Russian cybersecurity firm noted that it could identify the initial intrusion vector in only two cases, wherein the threat actors used a contractor’s login credentials to access internal systems through a VPN.
The VPN connections are reported to have originated from IP addresses linked to a Russian hosting provider’s network and a contractor’s network. This suggests an effort to operate discreetly by exploiting trusted relationships. It is suspected that the contractor networks have been compromised through VPN services or unpatched security vulnerabilities.
Following the initial access phase, utilities such as NSSM and Localtonet are employed to maintain remote access, with subsequent exploitation supported by tools including:
- XenAllPasswordPro for collecting authentication data
- CobInt backdoor
- Mimikatz for credential extraction
- dumper.ps1 for dumping Kerberos tickets from the LSA cache
- MiniDump for extracting login credentials from the memory of lsass.exe
- cmd.exe for copying credentials saved in Google Chrome and Microsoft Edge browsers
- PingCastle for network reconnaissance
- PAExec for executing remote commands
- AnyDesk and resocks SOCKS5 proxy for remote access
The attacks conclude with the encryption of system data utilizing publicly available versions of LockBit 3.0 for Windows and Babuk for Linux/ESXi. Additionally, measures are taken to encrypt data located in the Recycle Bin to prevent recovery.
Crypt Ghouls have been observed leaving a ransom note with a link that includes their ID in the Session messaging service for future contact with the victims. To carry out their attack, the group connects to the ESXi server via SSH, uploads the Babuk ransomware, and then initiates the encryption of files within the virtual machines.
Overlapping Tactics and Tools
The tools and infrastructure employed by Crypt Ghouls bear significant similarities to other recent attacks targeting Russian organizations by groups such as MorLock, BlackJack, Twelve, and Shedding Zmiy (also known as ExCobalt). These similarities indicate a broader trend of shared tactics among these threat actors.
Use of Compromised Credentials and Open-Source Tools
According to Kaspersky, these cybercriminals often leverage compromised credentials—frequently those belonging to subcontractors—and widely available open-source tools to infiltrate systems. This approach complicates efforts to attribute attacks to specific groups, as the tactics and tools are not unique to a single entity.
Knowledge and Resource Sharing
The observed pattern suggests that these actors are not only sharing technical knowledge but also their toolkits with one another. This collaborative approach makes it increasingly difficult to accurately identify and differentiate the specific hacktivist groups responsible for the numerous attacks targeting Russian organizations in recent months.
This trend points to a significant evolution in the ransomware landscape, where groups are pooling their resources to amplify their attack capabilities, blurring the lines between individual threat actors and making it more challenging to track their activities.
