DarkGaboon: Financially Motivated Ransomware Group Targets Russian Organizations
A cybercrime group known as DarkGaboon has been conducting ransomware attacks against Russian companies since at least 2023, according to research by Russian cybersecurity firm Positive Technologies. First identified in January, the group has targeted organizations across banking, retail, tourism, and public services.
In its latest campaign this spring, DarkGaboon deployed LockBit 3.0 ransomware, a variant originally leaked in 2022 and widely adopted by cybercriminals. Unlike typical LockBit affiliates operating under a ransomware-as-a-service (RaaS) model, DarkGaboon appears to operate independently.
The group relies on Russian-language phishing emails sent to financial department employees, using urgent messaging and malicious attachments disguised as legitimate financial documents. These decoy files, sourced from legitimate Russian-language templates, have remained largely unchanged since 2023.
Once inside a victim’s network, DarkGaboon encrypts files with LockBit 3.0 and leaves a ransom note in Russian, including two contact email addresses. Positive Technologies found no evidence of data exfiltration in recent attacks. The same email addresses were previously linked to LockBit-based attacks on Russian financial institutions in early 2023.
While the identities behind DarkGaboon remain unknown, researchers suggest the perpetrators are likely Russian-speaking. The group uses open-source tools like Revenge RAT and XWorm to evade attribution, blending in with broader cybercriminal activity.
Russian entities have faced prior LockBit attacks, including a December 2023 incident targeting a major Siberian dairy plant following its humanitarian aid donations to Russian military efforts in Ukraine. That attack, however, has not been attributed to DarkGaboon.
Source: https://therecord.media/new-hacker-group-lockbit-target-russia
Positive Technologies cybersecurity rating report: https://www.rankiteo.com/company/positivetechnologies
"id": "POS1766629641",
"linkid": "positivetechnologies",
"type": "Cyber Attack",
"date": "1/2023",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'industry': ['Banking',
'Retail',
'Tourism',
'Public Services'],
'location': 'Russia',
'type': 'Organization'}],
'attack_vector': 'Phishing emails',
'data_breach': {'data_encryption': 'Files encrypted using LockBit 3.0',
'data_exfiltration': 'No signs of data exfiltration in recent '
'incidents'},
'date_detected': '2023',
'description': 'A financially motivated cybercrime group dubbed DarkGaboon '
'has been targeting Russian companies in a series of '
'ransomware attacks, deploying LockBit 3.0 ransomware. The '
'group uses phishing emails with malicious attachments to gain '
'access to victim networks.',
'initial_access_broker': {'entry_point': 'Phishing emails with malicious '
'attachments',
'high_value_targets': 'Employees in financial '
'departments'},
'motivation': 'Financial gain',
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'No signs of data exfiltration in recent '
'incidents',
'ransomware_strain': 'LockBit 3.0'},
'references': [{'source': 'Positive Technologies'}],
'threat_actor': 'DarkGaboon',
'title': 'DarkGaboon Ransomware Attacks on Russian Companies',
'type': 'Ransomware'}