Analyzing the familiar tools used by the Crypt Ghouls hacktivists

Oct. 21, 2024, 9:54 a.m.

Description

The Crypt Ghouls group is targeting Russian businesses and government agencies with ransomware attacks. They utilize a toolkit including utilities like Mimikatz, XenAllPasswordPro, PingCastle, and others. The group employs LockBit 3.0 and Babuk ransomware as final payloads. Initial access is often gained through compromised contractor credentials. The attackers use various techniques to harvest login credentials, perform network reconnaissance, and spread laterally. There are overlaps in tools and tactics with other groups targeting Russia, suggesting potential collaboration or resource sharing among threat actors. Victims include Russian government agencies and companies in mining, energy, finance, and retail sectors.

External References

https://securelist.com/crypt-ghouls-hacktivists-tools-overlap-analysis/114217/
https://otx.alienvault.com/pulse/67126c0dba61ee264a3474d7
Tags
ransomware
russia
lockbit
hacktivism
credential harvesting
lateral movement
babuk
lockbit 3.0
2024-10-18
xenallpasswordpro
cobint

Date

  • Created: Oct. 18, 2024, 2:09 p.m.
  • Published: Oct. 18, 2024, 2:09 p.m.
  • Modified: Oct. 21, 2024, 9:54 a.m.

Indicators

  • 169.150.197.10
Download all indicators here!

Attack Patterns

  • CobInt
  • LockBit 3.0
  • Vasa Locker
  • Babyk
  • Babuk - S0638
  • Crypt Ghouls

Additional Informations

  • Retail
  • Energy
  • Finance
  • Government
  • Russian Federation