Crypt Ghouls Used Shared Ransomware Tooling Against Russian Organizations
Researchers reported that a ransomware group tracked as Crypt Ghouls targeted Russian businesses and government agencies across mining, energy, finance, retail, and public-sector organizations. The group reportedly gained initial access through compromised contractor VPN credentials, then established persistence with NSSM and Localtonet, harvested credentials using XenAllPasswordPro and Mimikatz, and expanded access with reconnaissance and lateral-movement tools including PingCastle, SoftPerfect Network Scanner, WMI, Impacket WmiExec.py, and **PAExec`.
The attackers deployed LockBit 3.0 on Windows systems and Babuk on Linux and ESXi environments, indicating a multi-platform ransomware capability. Researchers also found overlaps in tooling, infrastructure, and tactics with activity linked to MorLock, BlackJack, Twelve, and Shedding Zmiy/(Ex)Cobalt, suggesting collaboration, shared tooling, or intelligence exchange among multiple groups focused on Russian targets.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Tooling overlap reported between Crypt Ghouls and other threat activity
The report says researchers observed overlaps in tools, infrastructure, and TTPs between Crypt Ghouls and MorLock, BlackJack, Twelve, and Shedding Zmiy/(Ex)Cobalt-linked activity. They concluded the overlaps likely indicate collaboration, shared tooling, or intelligence exchange among multiple groups targeting Russian organizations.
Researchers identify Crypt Ghouls targeting Russian organizations
Researchers identified a ransomware group dubbed Crypt Ghouls targeting Russian businesses and government agencies across sectors including mining, energy, finance, retail, and the public sector. The analysis says the group commonly gains access through compromised contractor VPN credentials and deploys LockBit 3.0 on Windows and Babuk on Linux and ESXi systems.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware Attack Uncovers Ongoing Espionage in Russian Organizations
Two Russian organizations were simultaneously targeted by separate cyber attack groups, resulting in the exposure of a long-term espionage campaign. The first group, QuietCrabs, believed to be of Asian origin, focused on cyber espionage and maintained a stealthy presence within the victim networks. The second group, known as Thor, attempted to deploy LockBit and Babuk ransomware but was detected early, which inadvertently led to the discovery of QuietCrabs' ongoing activities. Both groups exploited known vulnerabilities in Microsoft SharePoint Server (CVE-2025-53770) and various Ivanti solutions (CVE-2024-21887, CVE-2025-4427, CVE-2025-4428, CVE-2023-38035) to gain initial access. QuietCrabs utilized an ASPX web shell, KrustyLoader malware, and the Sliver C2 implant for persistence and control, while Thor employed tools such as ADRecon, GodPotato, Secretsdump, Mimikatz, Tactical RMM, MeshAgent, and Rclone for lateral movement, privilege escalation, and data exfiltration. The investigation began after Thor's activity was detected, which prevented the ransomware deployment but also revealed the deeper, more persistent espionage threat posed by QuietCrabs. This incident highlights the risk of multiple, unconnected threat actors targeting the same organization and the potential for noisy attacks to expose more covert operations.
Mar 21, 2026
Egregor Ransomware Used Cobalt Strike and Rclone in Double-Extortion Attacks
The **Egregor** ransomware operation carried out double-extortion attacks by stealing sensitive data, encrypting victim systems, and threatening to publish stolen information on a leak site if victims refused to pay. Researchers linked Egregor to an ecosystem associated with **Sekhmet** and possible former **Maze** affiliates, with additional reported ties to **ProLock** and **LockBit**. Victims cited in reporting included **GEFCO**, **Barnes & Noble**, and **Ubisoft**, while the group’s leak site reportedly listed **152 victim companies** across industries including information technology, construction, retail, consumer goods, and automotive. Intrusions commonly began with **phishing** or **RDP exploitation**, after which attackers used **Cobalt Strike** for payload delivery and in some cases leveraged **QBot** and living-off-the-land tools such as `bitsadmin`. The malware used heavily obfuscated DLL payloads with **Salsa20**-encrypted configuration data, required a sample-specific launch key passed with the `-p` parameter, and encrypted files with **ChaCha** and **RSA-2048**. Researchers also observed the group using **Rclone** with attacker-supplied configuration data to exfiltrate stolen files, while the ransomware appeared to avoid encrypting systems configured with several CIS-region languages.
Mar 29, 2024
Bearlyfy deploys GenieLocker in ransomware campaign against Russian companies
The pro-Ukrainian hacker group **Bearlyfy** has carried out more than 70 attacks against Russian companies, escalating from smaller intrusions and modest ransom demands into a broader campaign combining extortion with sabotage. Russian cybersecurity firm F6 said the group, active since January 2025 and also tracked as **Labubu**, initially relied on leaked ransomware code including **LockBit 3 Black**, **Babuk** for Linux, and a modified **PolyVice** variant before shifting in March to a custom Windows strain called **GenieLocker**. F6 said Bearlyfy typically gained access through exposed external services and vulnerable applications, then used tools such as **MeshAgent** for remote access and to support encryption or destructive activity. Researchers also reported cooperation with the pro-Ukrainian group **Head Mare** and tooling or infrastructure overlaps with **PhantomCore**, suggesting ties to a wider ecosystem targeting Russian and Belarusian organizations. The group’s ransom demands reportedly rose from about **€80,000** to several hundred thousand dollars, with roughly one in five victims paying, as Bearlyfy expanded from smaller businesses to larger Russian enterprises.
Mar 27, 2026