To Russia without love

OldGremlin russian-speaking ransomware group defies unspoken rule about unlocking Russian organizations security

A new Russian-speaking ransomware gang has surfaced with a series of campaigns detected against critical infrastructure and large corporate targets within Russia.

The ‘OldGremlin’ group has mounted multi-stage, targeted attacks since at least March this year against banks, medical labs, manufacturers, and software developers, according to a press release and technical blog post published today (Wednesday) by threat intel specialists Group-IB.

The group deploys “sophisticated tactics and techniques similar to those employed by APT groups,” according to Oleg Skulkin, senior digital forensics analyst at Group-IB.

Using a suite of customized tools, the threat actors first sent sophisticated spear-phishing emails that, if successful, infect target machines with backdoors that open the way for ransomware attacks.

Big game hunting

OldGremlin apparently chose its targets because of their high value data and sensitivity to downtime, making them more likely to pay the $50,000 ransom typically demanded by the group.

In attacking high profile targets within Russia, the group is “the only Russian-speaking ransomware operator that violates the unspoken rule about not working within Russia and post-Soviet countries”, says Skulkin.

OldGremlin’s “fearlessness” about risking domestic incarceration, “indicates that the attackers” are either emulating Russian counterparts Silence and Cobalt by “fine-tuning their techniques benefiting from home advantage before going global,” or are nationals of neighboring countries, adds the researcher.

“Amid global tensions, cybercriminals have learned to navigate the political agenda, which gives us grounds to suggest that the attackers might come from some of the post-Soviet countries Russia has controversy or weak ties with.”

If correct, Group-IB is tentatively pointing the finger towards the Baltic countries or (more likely) Ukraine, a country known to have spawned ransomware groups in the past.

Lab attack

In the first successful attack from among seven phishing campaigns observed to date by Group-IB, OldGremlin targeted a clinical diagnostics laboratory with several sites across the Russia.

Detected in August, the attack began with a phishing email sent on behalf of RBC Group, one of Russia’s largest media holdings, urging the recipient to pay an invoice.

In clicking the malicious link, the victim unwittingly downloaded a unique custom backdoor, ‘TinyNode’, that installed malware and granted attackers remote access to the infected machine.

Catch up on the latest cybercrime news

The cybercriminals then used threat emulation software Cobalt Strike to move laterally across the network, obtaining domain administrator credentials and creating an additional account with the same privileges to maintain access in case the original account was blocked.

The cybercrooks later deleted server backups before encrypting data and paralysing operations across all of the company’s sites with its very own TinyCryptor ransomware (aka decr1pt).

Protests and pandemics

In March and April, the group debuted its ‘TinyPosh’ backdoor in attacks against financial organizations that purported to offer guidelines on organizing Covid-safe remote working.

TinyPosh was deployed again in May, with OldGremlin sending emails to bank employees, purportedly from a Russian RBC journalist, inviting them to take part in a 30-minute interview about the coronavirus pandemic.

The credibility of a follow-up email was burnished with supposed verifications from major foreign cybersecurity firms.

Then in August, Group-IB researchers detected around 250 malicious emails sent as part of two campaigns – one impersonating RBC again and the other a mining and metallurgical company – to targets working for financial and industrial companies.

On August 19, emails purporting to come from the CEO of the Minsk Tractor Works plant ( using the wrong name, incidentally) notified Russian financial organizations that the enterprise was being probed by the Belarus prosecutor’s office due to its participation in anti-government protests.

Victims were implored to download an ‘archive’ and send missing documents for verification, but in doing so would actually have downloaded TinyPosh.

“The lack of a strong channel of communication between organizations that counter cybercrime and the context of political instability have led to the emergence of new criminal groups who think that they can get away with their crimes,” says Rustam Mirkasymov, head of the dynamic malware analysis department at Group-IB.

RECOMMENDED Darknet markets likely to continue despite exit scams and law enforcement takedowns