In the evolving world of cybercrime, new groups constantly emerge, adapting to overcome security systems and exploit digital vulnerabilities. One of the latest and most dangerous of these is the Crypt Ghouls, a group of cybercriminals specializing in ransomware attacks targeting Russian companies and government organizations. Their use of advanced encryption and strategic collaboration with other cybercriminals has made them a significant threat to cybersecurity worldwide.
Discovery of Crypt Ghouls and Their Network of Alliances
In December 2023, cybersecurity experts from Kaspersky Lab identified the Crypt Ghouls. This group is not only proficient in using sophisticated ransomware but is also adept at infiltrating corporate networks via VPN connections. More alarmingly, Crypt Ghouls shares tools and strategies with other notorious hacker groups such as MorLock, BlackJack, and Twelve, suggesting collaboration within the cybercriminal underworld.
These connections complicate efforts to identify and track the group, as the overlap in tactics, techniques, and procedures (TTPs) makes it challenging to pinpoint the individual actors behind specific attacks.
Sophisticated Attack Strategies
Crypt Ghouls employ highly technical strategies to breach their targets. By exploiting contractor accounts and establishing VPN connections, they gain initial access to the internal systems of companies. Their use of tools such as Localtonet—which creates encrypted tunnels—and NSSM, a service management utility, allows them to maintain persistence within compromised networks.
Credential Theft Tools
Once inside a network, the group utilizes powerful tools like Mimikatz and XenAllPasswordPro to steal user credentials. These tools enable the attackers to escalate their privileges, giving them broader access across the compromised system. Additionally, AnyDesk and resocks allow them to maintain remote access while evading detection.
Use of Ransomware: LockBit 3.0 and Babuk
Crypt Ghouls rely heavily on LockBit 3.0 and Babuk encryptors to carry out their attacks. These ransomware programs are used to encrypt data on both Windows and Linux servers, making file recovery extremely difficult for the victims. Their encryption strategy is highly complex, particularly their manipulation of the Recycle Bin file system, where they encrypt and rename files in a way that makes recovery nearly impossible.
Advanced Techniques: DLL Sideloading and WMI Execution
Crypt Ghouls demonstrate an impressive level of technical expertise by using advanced attack methods like DLL sideloading. This technique allows them to load malicious code through legitimate system processes, making it difficult for security measures to detect them. Additionally, they leverage WMI (Windows Management Instrumentation) commands to execute operations remotely, enhancing their control over the victim's network.
In some attacks, they use CobInt, a powerful backdoor tool that communicates with command and control (C2) servers via PowerShell scripts. These scripts execute malicious payloads and extract sensitive data from compromised systems, highlighting the group’s meticulous planning and technical capabilities.
Targeting Critical Russian Sectors
Crypt Ghouls have specifically targeted key industries in Russia, including energy, finance, mining, and commerce. Their attacks have not only resulted in financial losses but have also significantly disrupted essential business operations. By targeting these sectors, Crypt Ghouls aim to maximize the damage inflicted, both financially and operationally.
This dual objective—extortion and disruption—makes the group particularly dangerous. Disrupting the operations of critical industries like energy and finance can have wide-reaching consequences for both the Russian economy and the international market.
Credential Harvesting and Network Reconnaissance
A cornerstone of Crypt Ghouls' attacks is their ability to steal credentials. They use XenAllPasswordPro to gather authentication data from victim systems, allowing them to move laterally within networks and access sensitive information. Additionally, they frequently target NTDS.dit dumps, which contain critical user account data on domain controllers.
Beyond credentials, the group also steals browser login data from commonly used platforms like Google Chrome and Microsoft Edge. With this information, they can further compromise user accounts and gain access to additional systems.
Remote Access: Tools of Persistence
Maintaining remote access to compromised systems is critical to Crypt Ghouls' operations. They use tools like AnyDesk and Localtonet to establish persistent remote connections. Often, they hide these connections behind Surfshark VPN, making it harder to trace their activities.
Once they have remote access, the group deploys ransomware to encrypt vital data. Their preferred ransomware, LockBit 3.0 for Windows and Babuk for Linux, is designed not only to encrypt files but also to disable security features like Windows Defender and delete event logs, effectively covering their tracks and making recovery nearly impossible.
Collaborating with Other Cybercriminals
One of the most alarming aspects of Crypt Ghouls' operations is their collaboration with other cybercriminal groups. Many of their tools and techniques, such as resocks, XenAllPasswordPro, and CobInt, are shared with groups like MorLock, BlackJack, and Twelve. This sharing of resources enables these groups to operate more effectively while making it harder for cybersecurity professionals to attribute specific attacks to individual groups.
Evidence of Collaboration
For example, the resocks tool, used by Crypt Ghouls for traffic tunneling, has also been identified in attacks attributed to MorLock. Similarly, the XenAllPasswordPro tool is used across multiple attacks by different groups, pointing to a larger network of cooperation among cybercriminals.
This collaboration complicates efforts to defend against these attacks, as the shared use of tools and techniques blurs the lines between different hacker groups. As a result, it is increasingly difficult to identify and track specific actors responsible for these malicious activities.
The Devastating Consequences for Russian Enterprises
The attacks carried out by Crypt Ghouls have had devastating consequences for Russian companies, particularly in industries critical to the nation’s economy. By targeting sectors such as energy, finance, and mining, the group has not only caused immediate financial damage but also long-term disruptions to essential services.
These attacks highlight the vulnerabilities within Russia’s cybersecurity infrastructure. The group's ability to remain undetected for extended periods and their use of advanced encryption techniques make it clear that Russian companies must invest in more robust security measures.
Conclusion: A Growing Cyber Threat
The rise of Crypt Ghouls underscores the growing threat of ransomware and cyberattacks worldwide. Their advanced techniques, collaboration with other hacker groups, and use of powerful ransomware like LockBit 3.0 and Babuk make them a formidable adversary in the cybersecurity landscape.
As they continue to target Russian organizations, it is crucial for businesses to enhance their security protocols, particularly when it comes to third-party contractors and VPN access. The Crypt Ghouls’ attacks serve as a stark reminder that cybercriminals are constantly evolving, and defending against them requires vigilance, innovation, and a proactive approach to cybersecurity.
Comments 0