Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
New hacking techniques compromise familiar security measures.
In December 2023, researchers from Kaspersky Lab discovered a new hacker group called Crypt Ghouls, specializing in ransomware attacks against Russian companies and government organizations. Experts have identified links between this cyber gang and other groups, which is manifested in the common tactics, procedures and tools used.
To penetrate victims' networks, attackers use contractor accounts and VPN connections from IP addresses of Russian hosting providers. Inside the infrastructure, they use utilities such as Localtonet to create encrypted tunnels and NSSM to manage services on compromised systems. The main tools for stealing credentials are Mimikatz and XenAllPasswordPro, and for remote management — AnyDesk and resocks.
Crypt Ghouls attacks use LockBit 3.0 and Babuk ransomware. These malware encrypt files on Windows and Linux servers, as well as modify the names and contents of files in the Recycle Bin, making them difficult to recover. In addition, hackers actively use the CobInt module to inject backdoors and PowerShell scripts to secretly obtain data from Kerberos caches.
Attackers demonstrate a high degree of preparation by using sophisticated techniques such as DLL Sideloading and WMI for remote command execution. They also save NTDS.dit dumps from domain controllers, extracting valuable data from them using the Impacket and PAExec utilities. The heavy use of Surfshark VPN's infrastructure and hosting providers like VDSina has repeatedly allowed them to hide their activities.
Experts noted the intersection of Crypt Ghouls' tools with other hacker groups, including MorLock, BlackJack and Twelve. This suggests that attackers are likely sharing tools and knowledge, making it more difficult to identify and track them.
Crypt Ghouls has targeted Russian companies in industries such as energy, finance, mining, and commerce. The goal of attacks is not only extortion, but also disruption of business processes, which increases the scale of damage to organizations. Kaspersky Lab experts continue to monitor the group's activity, expecting a further increase in the number of attacks.
Source
In December 2023, researchers from Kaspersky Lab discovered a new hacker group called Crypt Ghouls, specializing in ransomware attacks against Russian companies and government organizations. Experts have identified links between this cyber gang and other groups, which is manifested in the common tactics, procedures and tools used.
To penetrate victims' networks, attackers use contractor accounts and VPN connections from IP addresses of Russian hosting providers. Inside the infrastructure, they use utilities such as Localtonet to create encrypted tunnels and NSSM to manage services on compromised systems. The main tools for stealing credentials are Mimikatz and XenAllPasswordPro, and for remote management — AnyDesk and resocks.
Crypt Ghouls attacks use LockBit 3.0 and Babuk ransomware. These malware encrypt files on Windows and Linux servers, as well as modify the names and contents of files in the Recycle Bin, making them difficult to recover. In addition, hackers actively use the CobInt module to inject backdoors and PowerShell scripts to secretly obtain data from Kerberos caches.
Attackers demonstrate a high degree of preparation by using sophisticated techniques such as DLL Sideloading and WMI for remote command execution. They also save NTDS.dit dumps from domain controllers, extracting valuable data from them using the Impacket and PAExec utilities. The heavy use of Surfshark VPN's infrastructure and hosting providers like VDSina has repeatedly allowed them to hide their activities.
Experts noted the intersection of Crypt Ghouls' tools with other hacker groups, including MorLock, BlackJack and Twelve. This suggests that attackers are likely sharing tools and knowledge, making it more difficult to identify and track them.
Crypt Ghouls has targeted Russian companies in industries such as energy, finance, mining, and commerce. The goal of attacks is not only extortion, but also disruption of business processes, which increases the scale of damage to organizations. Kaspersky Lab experts continue to monitor the group's activity, expecting a further increase in the number of attacks.
Source
