Russian Companies Targeted by Crypt Ghouls Using LockBit 3.0 and Babuk Ransomware
An emerging threat group identified as Crypt Ghouls has been associated with a series of cyber offensives against Russian enterprises and governmental bodies using ransomware to disrupt operations and seek financial rewards.
“The examined group employs a range of tools like Mimikatz, XenAllPasswordPro, PingCastle, Localtonet, resocks, AnyDesk, PsExec, and others,” according to Kaspersky’s report. “For the primary attack, they deploy the infamous ransomware LockBit 3.0 and Babuk.”
Targets of these destructive campaigns encompass government institutions and businesses in sectors such as mining, energy, finance, and retail based in Russia.
Only in two incidents, the initial breach point was traced back, with adversaries exploiting the credentials of a contractor to gain access to internal networks via VPN, as per the Russian cybersecurity firm.
The VPN links are believed to have emanated from IP addresses linked to a Russian hosting service and a subcontractor’s network, suggesting an attempt to evade detection by exploiting trusted relationships. The subcontractor networks are presumably breached using VPN services or unpatched security vulnerabilities.
Subsequent to the initial breach, NSSM and Localtonet tools are deployed to sustain remote access, with further exploitation made possible through utilities such as follows –
- XenAllPasswordPro for harvesting authentication details
- CobInt backdoor
- Mimikatz for extracting victim credentials
- dumper.ps1 to retrieve Kerberos tickets from the LSA cache
- MiniDump for fetching login credentials from the memory of lsass.exe
- cmd.exe to copy credentials stored in Google Chrome and Microsoft Edge browsers
- PingCastle for network reconnaissance
- PAExec for executing remote commands
- AnyDesk and resocks SOCKS5 proxy for remote access
The onslaught concludes with data encryption using publicly available versions of LockBit 3.0 for Windows and Babuk for Linux/ESXi, coupled with efforts to encrypt data residing in the Recycle Bin to impede recovery.
“A ransom message with an ID link is left by the attackers in the Session chat service for future reference,” noted Kaspersky. “They establish a connection to the ESXi server via SSH, upload Babuk, and commence encrypting files within the virtual machines.”
The toolset and infrastructure chosen by Crypt Ghouls in these offensives converge with similar assaults carried out by other factions targeting Russia in recent times, including MorLock, BlackJack, Twelve, Shedding Zmiy (also known as ExCobalt)
“Criminal elements are exploiting compromised access credentials, frequently from subcontractors, and commonly available open-source tools,” the firm declared. “The overlapping toolkits used in attacks against Russia make it arduous to identify the hacking collectives responsible.”
“This implies that the present actors are exchanging not only expertise but also their tool arsenals. This complexity further complicates the task of pinpointing the specific malicious entities orchestrating the surge of assaults targeted at Russian entities.”
About Author
