While ransomware attacks are typically disastrous for the victimized organizations, in some unusual cases, they can inadvertently lead to positive outcomes—at least in terms of uncovering hidden vulnerabilities and malicious activities.
A striking example of this occurred in a recent data breach involving a Russian business, which was detailed in a report published by Positive Technologies (PT), a Moscow-based cybersecurity firm. The findings of this report have brought to light the intricate web of cyberattacks targeting the company and raise significant questions about the nature of global cyber threats.
The Unfolding of the Incident: Ransomware Meets Espionage
The incident began several months ago, when threat researchers at Positive Technologies discovered that Thor, a cybercriminal group backed by notorious ransomware operations LockBit and Babuk, had infiltrated the servers of a Russian energy company. Upon closer inspection, it became clear that the ransomware attack was not the only malicious activity underway. As researchers dug deeper into the breach, they unearthed a more surprising discovery: the presence of KrustyLoader, a sophisticated espionage malware deployed by a Chinese-based cyber actor known as QuietCrabs.
The KrustyLoader malware was found to have been residing undetected within the company’s systems for an extended period, with a dwell time—the amount of time the malware remains hidden on a compromised system—of approximately 393 days. This malware,
TPRM report: https://www.rankiteo.com/company/alliance-oil-company
"id": "all1764698539",
"linkid": "alliance-oil-company",
"type": "Ransomware",
"date": "2025-12-02T00:00:00.000Z",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'incident': {'affected_entities': [{'customers_affected': None,
'industry': 'energy',
'location': 'Russia',
'name': None,
'size': None,
'type': 'energy company'}],
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': None,
'sensitivity_of_data': None,
'type_of_data_compromised': None},
'description': 'A ransomware attack on a Russian energy company '
'inadvertently led to the discovery of '
'KrustyLoader, a sophisticated espionage malware '
'deployed by a Chinese-based cyber actor known as '
'QuietCrabs. The malware had remained undetected '
'for approximately 393 days.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': None,
'downtime': None,
'financial_loss': None,
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': None},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'motivation': ['financial gain', 'espionage'],
'post_incident_analysis': {'corrective_actions': None,
'root_causes': None},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': ['LockBit', 'Babuk']},
'references': [{'date_accessed': None,
'source': 'Positive Technologies (PT) report',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': None,
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': 'Positive Technologies '
'(PT)'},
'threat_actor': ['Thor (LockBit/Babuk affiliate)',
'QuietCrabs (Chinese-based)'],
'title': 'Ransomware Attack Uncovers Hidden Espionage Malware in '
'Russian Energy Company',
'type': ['ransomware', 'espionage']}}