Crypt Ghouls Strike Russian Companies with LockBit 3.0 and Babuk Ransomware Assaults
A newly popped-up cyber gang called Crypt Ghouls has been stirring up trouble with a bunch of ransomware hits aimed at Russian companies and even government offices. They're trying to mess with their operations and make some serious cash on the side.
Kaspersky, the cybersecurity peeps, have found out that these digital tricksters are using a toolkit full of cheeky programs like Mimikatz, XenAllPasswordPro, PingCastle, and Localtonet to do their dirty work. They're also notorious for dropping the big guns, LockBit 3.0 and Babuk, to really lock things down.
The poor souls who've been hit by these attacks are all over the place, from government offices to mining, energy, finance, and retail companies. Kaspersky's detectives figured out that in two of these cases, the bad guys sneaked in by using a contractor's VPN login details.
Once they're cozied up inside the system, the Crypt Ghouls get busy with tools like NSSM and Localtonet to keep their sneaky access. Then, they go on a spree with XenAllPasswordPro to grab some passwords, use CobInt for a sneaky backdoor, Mimikatz to get more login details, a script named dumper.ps1 to swipe Kerberos tickets, and MiniDump to snatch login info from a thing called lsass.exe. Oh, and they don't forget to use cmd.exe to peek at what you've been up to on your browser. They're thorough, I'll give them that.
After they've had their fill of poking around, they let loose with LockBit 3.0 for Windows computers and Babuk for the fancy Linux and ESXi ones. They're so thorough that they even encrypt the stuff you thought you could save in the Recycle Bin.
These cyber baddies leave a cheeky message with a link to a Session messaging service to chat about their ransom demands. They're like, "Hey, we've got your files, wanna talk?" Kaspersky says they're logging into your virtual machines with SSH and letting the encryption chaos begin.
What's weird is that these Crypt Ghouls are using tools and tricks that are eerily similar to what other groups like MorLock, BlackJack, Twelve, and Shedding Zmiy have been up to. It's like they all went to the same cybercrime school or something. This makes it tough to figure out which bunch of troublemakers is behind each attack because they all share their homework.
Kaspersky's advice is that these cybercriminals are getting sneakier by using subcontractor login info and easy-to-find free tools. It's like everyone's swapping notes and gear in the cyber underworld, making it a real headache to pinpoint who's up to what with all these Russian companies.