Russian-speaking OldGremlin ransomware group targets Russian organisations

The group uses social engineering techniques to infect networks - but is only targetting Russian organisations, for now

OldGremlin, a new Russian-speaking ransomware group, is using custom tools to target large corporates and critical infrastructure - within Russia.

Researchers at cyber security firm Group-IB say they detected mutliple cyber attacks by the OldGremlin group against medical and financial firms, software developers and manufacturers based in Russia.

Taking a targeted strike

The most recent successful attack Group-IB detected was against a medical lab in August. The attack began with a phishing email that allegedly came from RosBiznesConsulting (RBC), Russia's biggest media holding company. RBC was reportedly having trouble paying for medical services.

The phishing email displayed 'Invoice' as the subject and contained a link that, when clicked, downloaded a .zip archive with custom backdoor TinyNode. According to Group-IB, this backdoor acted as a primary bootloader and enabled the attackers to download and run other malicious programmes. The cybercriminals also used another backdoor, dubbed TinyPosh, to gain a foothold on the target organisation's network.

The group then used threat emulation programme Cobalt Strike to move laterally across the network. They obtained domain admin credentials and created an account with the same privileges to maintain network access, in case the original admin account was blocked.

After several days spent on the network, the attackers deleted server backups and encrypted files using the TinyCryptor ransomware (aka decr1pt). They demanded $50,000 in cryptocurrency from the victim firm, and provided a Proton email account for contact.

Russian rampage

Besides mimicking RBC with spearphishing emails, OldGremlin has also impersonated other organisations, including a dental clinic, microfinance companies Edinstvo and MIR, and Belarus Tractor Works plant.

According to Group-IB, the cyber OldGremlin's campaigns began in March. So far, the researchers have only identified Russian victims - but there is a possibility that the attackers could be fine-tuning their tools in preparation for targetting overseas organisations in the coming weeks or months.

The attackers may also have links to some of Russia's neighbours that have tense relationships with Moscow.

"The lack of a strong channel of communication between organisations that counter cybercrime and the context of political instability have led to the emergence of new criminal groups who think that they can get away with their crimes," said Oleg Skulkin, Senior Digital Forensics Analyst at Group-IB.

"Another factor that help cybercriminals make money on ransoms include businesses underestimating threats and the lack of security controls that identify and block ransomware on time," he added.