Crypt Ghouls Targets Russian Firms with LockBit 30 and Babuk Ransomware Attacks

pA nascent threat actor known as Crypt Ghouls has been linked to a set of cyber attacks targeting Russian businesses and government agencies with ransomware with the twin goals of disrupting business operations and financial gainppThe group under review has a toolkit that includes utilities such as Mimikatz XenAllPasswordPro PingCastle Localtonet resocks AnyDesk PsExec and others Kaspersky said As the final payload the group used the wellknown ransomware LockBit 30 and BabukppVictims of the malicious attacks span government agencies as well as mining energy finance and retail companies located in RussiappThe Russian cybersecurity vendor said it was able to pinpoint the initial intrusion vector in only two instances with the threat actors leveraging a contractors login credentials to connect to the internal systems via VPNppThe VPN connections are said to have originated from IP addresses associated with a Russian hosting providers network and a contractors network indicating an attempt to fly under the radar by weaponizing trusted relationships Its believed that the contractor networks are breached by means of VPN services or unpatched security flawsppThe initial access phase is succeeded by the use of NSSM and Localtonet utilities to maintain remote access with followon exploitation facilitated by tools such as follows ppThe attacks end with the encryption of system data using publicly available versions of LockBit 30 for Windows and Babuk for LinuxESXi while also taking steps to encrypt data present in the Recycle Bin to inhibit recoveryppThe attackers leave a ransom note with a link containing their ID in the Session messaging service for future contact Kaspersky said They would connect to the ESXi server via SSH upload Babuk and initiate the encryption process for the files within the virtual machinesppCrypt Ghouls choice of tools and infrastructure in these attacks overlaps with similar campaigns conducted by other groups targeting Russia in recent months including MorLock BlackJack Twelve and Shedding Zmiy aka ExCobaltppCybercriminals are leveraging compromised credentials often belonging to subcontractors and popular opensource tools the company said The shared toolkit used in attacks on Russia makes it challenging to pinpoint the specific hacktivist groups involvedppThis suggests that the current actors are not only sharing knowledge but also their toolkits All of this only makes it more difficult to identify specific malicious actors behind the wave of attacks directed at Russian organizationsppProtect your organization from AI risks with expert insights on security and innovation in app developmentppDiscover effective PAS strategies to secure privileged accounts reduce attack surfaces and outpace cyber threatsppGet the latest news expert insights exclusive resources and strategies from industry leaders all for freep