A new cybercriminal group, Crypt Ghouls, has been identified as the perpetrator behind a series of ransomware attacks targeting Russian businesses and government agencies.
These attacks aim to disrupt operations and extort financial payouts. The group employs various tools to infiltrate systems, steal data, and ultimately encrypt sensitive files using the LockBit 3.0 and Babuk ransomware variants.
According to reports, Crypt Ghouls utilizes a broad toolkit of utilities, including Mimikatz, XenAllPasswordPro, PingCastle, Localtonet, resocks, AnyDesk, and PsExec.
These tools help attackers gather credentials, maintain remote access, and carry out their malicious activities. The victims of these attacks span multiple sectors, including government, mining, energy, finance, and retail.
Investigators identified the initial intrusion method in a few cases, revealing that attackers used contractor credentials to infiltrate systems through VPN connections.
These connections came from IP addresses associated with Russian hosting providers and contractor networks, indicating the attackers exploited trusted relationships to bypass security. It’s suspected that these networks were compromised through vulnerabilities in VPN services or outdated security patches.
Once inside the target systems, Crypt Ghouls used various utilities to establish persistence and harvest login data. They employed XenAllPasswordPro to steal authentication credentials, Mimikatz to extract sensitive information, and several other tools to collect and exploit data.
The attacks concluded with the encryption of critical files using LockBit 3.0 for Windows systems and Babuk for Linux/ESXi environments. The attackers even encrypted data in the Recycle Bin to prevent recovery.
A ransom note, containing a link to the attackers’ contact information via the Session messaging platform, was left behind after each attack. The attackers accessed ESXi servers via SSH, uploaded the Babuk ransomware, and began encrypting files stored in virtual machines.
Crypt Ghouls shares tools and methods with other recent hacking campaigns targeting Russia, including those led by groups such as MorLock and BlackJack.
The overlap in techniques and infrastructure used by these cybercriminals makes it difficult to attribute the attacks to a single group. This suggests that hackers are sharing resources and knowledge, further complicating the identification of those responsible for the attacks on Russian organizations.
To defend against these ransomware attacks, organizations should prioritize securing remote access points like VPNs and keep software fully updated with the latest patches. Additionally, enforcing strong password policies, using multi-factor authentication (MFA), and regularly monitoring for suspicious activity can significantly reduce the risk of infiltration.