OldGremlin Definitely Did That!

A new Russian-speaking ransomware gang has planed campaigns against critical infrastructure in Russia.

The scoop

OldGremlin, in a recent series of campaigns, defied the unspoken rule against attacks on home soil. The threat actor has been targeting Russian companies, including financial institutions, medical firms, and industrial enterprises, with ransomware attacks. It relies on custom backdoors known as TinyNode and TinyPosh, to gain access to the target organization.

Why this matters

OldGremlin has been continuously switching up its spear-phishing lures to impersonate several organizations - ranging from Russian dental clinic to Russian microfinance firm, Edinstvo. The cybercriminal gang has also mimicked the media group, RBC, in various campaigns.

Attack vector

  • OldGremlin came to the spotlight after its attack against a medical company. It only lasted for 20 seconds before Windows Defender threw it out. However, in these 20 seconds, the trojan achieved persistence in the system.
  • A few weeks later, the group deleted all the organization’s backups and demanded $50,000 in cryptocurrency.
  • The well-designed spear-phishing emails consist of current news as a lure.

The bottom line

OldGremlin began its activities between late-March and early-April. It mainly took advantage of COVID-19 lures. They have been spotted conducting multi-stage targeted attacks on Russian organizations using sophisticated TTPs, usually seen among APT groups.