The emerging threat actor Crypt Ghouls has been linked to ransomware attacks on Russian businesses and government agencies, targeting sectors like mining, energy, finance, and retail for disruption and financial gain. Using tools such as Mimikatz, PingCastle, Localtonet, and the LockBit 3.0 and Babuk ransomware, the group exploits contractor credentials via VPNs or unpatched vulnerabilities for initial access. They maintain persistence with utilities like NSSM and harvest credentials using XenAllPasswordPro, CobInt, and MiniDump. Data is encrypted, including in the Recycle Bin, with ransom notes left for contact via Session messaging. Crypt Ghouls’ toolkit overlaps with other groups targeting Russia, complicating attribution and highlighting shared tactics among threat actors.