Crypt Ghouls
Crypt Ghouls is a cybercriminal threat actor identified by Kaspersky and linked to ransomware attacks against Russian businesses and government agencies. Reported victims include organizations in the Russian government, mining, energy, finance, and retail sectors. Kaspersky assessed the group’s goals as both operational disruption and financial gain. In the cases where initial access was identified, Crypt Ghouls abused compromised credentials belonging to contractors and subcontractors to access victim environments via VPN, with connections traced to Russian hosting providers and compromised contractor networks. Kaspersky assessed this reflected abuse of trusted relationships to evade detection. Observed post-compromise activity included persistence and remote access using NSSM and Localtonet; credential theft and collection using Mimikatz, XenAllPasswordPro, dumper.ps1, MiniDump, and cmd.exe to copy credentials from Google Chrome and Microsoft Edge; reconnaissance with PingCastle and SoftPerfect Network Scanner; and remote administration or lateral movement using AnyDesk, PsExec/PAExec, and resocks. Kaspersky also observed use of the CobInt backdoor loader, including a VBScript downloader named Intellpui.vbs that executed obfuscated PowerShell to load malware in memory without leaving traces on disk. For impact, Crypt Ghouls deployed LockBit 3.0 on Windows systems and Babuk on Linux and ESXi environments. Kaspersky reported the group attempted to encrypt Recycle Bin data to make recovery more difficult, added directories containing credential-harvesting tools to the ransomware exclusion list, and left ransom notes containing a Session messaging service contact link. In ESXi intrusions, the attackers connected over SSH, uploaded Babuk, and encrypted files within virtual machines. Kaspersky reported technical, tooling, naming, and infrastructure overlaps between Crypt Ghouls and other Russia-targeting groups including MorLock, BlackJack, Twelve, and Shedding Zmiy (ExCobalt). Shared utilities specifically mentioned include SoftPerfect Network Scanner, PingCastle, XenAllPasswordPro, and resocks, and Kaspersky noted similar file and folder naming conventions and overlapping infrastructure, suggesting shared tooling, resources, or collaboration. No additional aliases or sub-groups for Crypt Ghouls were directly identified in the provided content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
14 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
11 malware families attributed to this actor across reporting.
6 additional families tracked in Mallory.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware intrusion activity leveraging compromised contractor/subcontractor credentials (VPN initial access), followed by lateral movement/persistence tooling and deployment of LockBit 3.0 (Windows) and Babuk (Linux/ESXi) to encrypt victim data.
Ransomware-driven disruptive and financially motivated intrusions against Russian government and commercial organizations, using compromised contractor VPN credentials for initial access, followed by credential theft, remote access tooling, lateral movement, and deployment of LockBit 3.0 (Windows) and Babuk (Linux/ESXi).
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.