October 19, 2024 at 03:54AM
A new threat group named Crypt Ghouls is targeting Russian businesses and government agencies with ransomware attacks aimed at disruption and financial gain. They utilize various tools and exploit contractor credentials via VPNs. The ransomware used includes LockBit 3.0 and Babuk, complicating the identification of specific malicious actors.
### Meeting Takeaways: Cybersecurity Update – Crypt Ghouls Threat Actor
**Date:** October 19, 2024
**Presenter:** Ravie Lakshmanan
**Topic:** Network Security / Data Breach
1. **Threat Overview:**
– A new threat actor named **Crypt Ghouls** is targeting Russian businesses and government entities with **ransomware attacks** aimed at disrupting operations and achieving financial gain.
2. **Attack Methodology:**
– Crypt Ghouls utilizes a variety of tools including:
– **Mimikatz**, **XenAllPasswordPro**, **PingCastle**, **AnyDesk**, **PsExec**, and others.
– Final payloads involved include **LockBit 3.0** and **Babuk** ransomware.
3. **Victim Profile:**
– Attacks have affected various sectors: government, mining, energy, finance, and retail within Russia.
4. **Intrusion Tactics:**
– Initial access often obtained through **contractor login credentials** accessed via VPN.
– VPN connections are traced to a Russian hosting provider and contractor networks, suggesting an exploit of trusted relationships.
– Possible vulnerabilities include **VPN services** or unpatched security flaws.
5. **Post-Intrusion Tools:**
– Utilities used post-intrusion include:
– **NSSM**, **Localtonet** for remote access maintenance.
– **XenAllPasswordPro**, **Mimikatz**, **dumper.ps1**, and others for credential harvesting.
– **PingCastle** for network reconnaissance.
– **AnyDesk** for continued remote access.
6. **Ransomware Execution:**
– Encryption conducted on systems using LockBit 3.0 (Windows) and Babuk (Linux/ESXi).
– Attackers additionally encrypt files in the **Recycle Bin** to prevent recovery.
– Ransom notes are left with contact details via the **Session messaging service**.
7. **Industry Insights:**
– Similarities in operational tactics are observed among different hacking groups (e.g., **MorLock**, **BlackJack**), complicating attribution of attacks.
– The sharing of tooling and credentials among actors indicates a collaborative environment, making it hard to identify specific groups responsible for recent incidents.
8. **Recommendations:**
– Continuous monitoring of contractor access and VPN security practices.
– Regular updates and patching of vulnerabilities within systems to prevent exploitation.
– Awareness training for employees regarding credential security and phishing attempts.
**Next Steps:**
– Monitor developments related to Crypt Ghouls and assess the effectiveness of current cybersecurity measures against similar attacks.
**Follow-up:**
– Keep updated on latest threat intelligence via **Twitter** and **LinkedIn** for exclusive content and security insights.