A new threat actor named Crypt Ghouls has been identified in a series of cyber attacks targeting businesses and government agencies in Russia with ransomware. The group’s tactics involve disrupting operations and seeking financial gain through the use of tools like Mimikatz, XenAllPasswordPro, and LockBit 3.0 and Babuk ransomware.
The victims of these attacks include government agencies, as well as companies in sectors such as mining, energy, finance, and retail in Russia. The initial intrusion vector was traced back to contractor login credentials being used to access internal systems via VPN, indicating a breach of trust and exploitation of trusted relationships.
The attacks involved VPN connections from IP addresses associated with Russian hosting providers and contractor networks. The threat actors used a variety of tools to maintain remote access and exploit systems, including XenAllPasswordPro, CobInt backdoor, Mimikatz, and PingCastle for reconnaissance.
The attacks culminated in the encryption of system data using LockBit 3.0 for Windows and Babuk for Linux/ESXi, with additional measures taken to encrypt data in the Recycle Bin to hinder recovery. The group leaves ransom notes with contact information for future negotiations, showing a pattern of targeting Russian organizations similar to other cybercriminal groups.
The shared toolkit and infrastructure used in these attacks on Russia make it difficult to attribute them to specific hacktivist groups. The collaboration and tool-sharing among malicious actors indicate a sophisticated and coordinated effort to target Russian entities, posing a significant challenge for cybersecurity professionals in identifying and mitigating these threats.
Source link