The Crypt Ghouls group is targeting Russian businesses and government agencies with ransomware attacks. They utilize a toolkit including utilities like Mimikatz, XenAllPasswordPro, PingCastle, and others. The group employs LockBit 3.0 and Babuk ransomware as final payloads. Initial access is often gained through compromised contractor credentials. The attackers use various techniques to harvest login credentials, perform network reconnaissance, and spread laterally. There are overlaps in tools and tactics with other groups targeting Russia, suggesting potential collaboration or resource sharing among threat actors. Victims include Russian government agencies and companies in mining, energy, finance, and retail sectors. Author: AlienVault
Related Tags:
CobInt
Vasa Locker
Babyk
Babuk – S0638
LockBit 3.0
T1550.002
T1021.006
Credential Harvesting
lateral movement
Associated Indicators:
A54519B7530039B9FBA9A4143BF549B67048F441BBEBF9F8D5CFF1E539752189
A27D900B1F94CB9E970C5D3B2DCF6686B02FB722EDA30C85ACC05BA55FDABFBC
3EDB6FB033CC00C016520E2590E2888E393AD5ED725E853EEA3BC86CEE3B28B8
56682344AA1DC0A0A5B0D26BD3A8DFE8CEB8772D6CD9E3F8CBD78CA78FE3C2AB
EB59A4B1925FDF36DBE41091CB7378291A9116D8150118E4F449CBD1147E204E
DEC147D7628D4E3479BC0FF31413621FB4B1B64A618469A9402A42816650F92B
92804FAAAB2175DC501D73E814663058C78C0A042675A8937266357BCFB96C50
5E1E3BF6999126AE4AA52146280FDB913912632E8BAC4F54E98C58821A307D32
2850DC0447D9512A264B60BEB4C804880481A690