Group-IB, one of the global leaders in cybersecurity, headquartered in Singapore, released a first threat report detailing the operations of a Russian-speaking ransomware group OldGremlin: “OldGremlin Ransomware. Never ever feed them after the Locknight”. According to Group-IB, in just two years and a half, the “Gremlins” carried out 16 malicious campaigns. OldGremlin remains one of the very few ransomware gangs targeting Russian companies. However, their growing ambitions can push them to explore new geographies in the future. For the second year in a row, OldGremlin demanded the highest ransom from Russian organizations: in 2021 their largest ransom demand amounted to $4.2 million, while in 2022 it soared to $16.9 million.
As usual, Group-IB’s report provides access to a set of data and detailed information about the current tactics, techniques, and procedures (TTPs) used by the attackers, which are described using MITRE ATT&CK®. The information provided will benefit organizations that fight cybercrime, and especially heads of information security teams, SOC analysts, incident responders, and potential victims who can use the information to protect their infrastructure from OldGremlin.
Do not feed the Gremlins
Compared to other world regions, the post-Soviet space remained a harbor safe from ransomware groups primarily focusing on North America, Europe, Asia Pacific, and other locations. But this paradigm began to shift. According to Group-IB, last year, the number of ransomware attacks on Russian businesses increased by more than 200%. Among the most notorious ransomware gangs targeting this region was a group called OldGremlin.
OldGremlin (also known as TinyScouts) was uncovered by Group-IB Threat Intelligence team in March 2020 and was described in detail in September 2020 in the blog post “OldGremlin: secrets, and dirty tricks“. According to Group-IB, in two and a half years OldGremlin carried out a total of 16 malicious email campaigns.
OldGremlin was most active in 2020. That year, the gang carried out ten campaigns, with emails purporting to be from microfinance companies, a metals and mining company, a tractor manufacturer, and a business media holding. In 2021, the group carried out a single but highly successful campaign: the threat actor impersonating an association of online retailers. In 2022, OldGremlin carried out five campaigns masquerading as tax and legal services companies, a payment system, an IT company, and more.
The group’s victim list includes banks, logistics, and manufacturing companies, insurance firms, retailers, real estate developers, and software companies. In 2020, the group even targeted an arms manufacturer.
According to Group-IB, the average ransom demanded by OldGremlin amounts to $1.7 million, and the highest ransom to date reached $16.9 million. Unlike other ransomware operators involved in Big Game Hunting, OldGremlin tend to take long breaks after successful attacks
The craft of phishing
Like most ransomware groups, OldGremlin used phishing emails to gain initial access. The use of trending news topics (Covid-19, remote work, sanctions) together with well-crafted prepared emails presented masked as interview requests, commercial proposals, and financial documents helped the threat actors to trick the recipients into clicking on links and downloading malicious files. Due to the massive scale of their email campaigns, the gang was able to compromise several working stations at once, which facilitated lateral movement within the victim’s network.
Although OldGremlin mainly targets corporate Windows-based networks, the group’s most recent attacks show that their arsenal includes dedicated ransomware for Linux. The threat actor is up to date on the latest trends in cybersecurity and successfully combines new methods with tried-and-tested tools such as Cobalt Strike and open-source frameworks (e.g., PowerSploit). One of the privilege escalation methods identified by Group-IB was the exploitation of Cisco AnyConnect vulnerabilities. To facilitate attacks, OldGremlin developed an entire Tiny framework and then improved it with each new campaign.
On average, the attackers spend 49 days in the victim’s network before deploying ransomware, which means that in addition to reactive methods of detecting traces of OldGremlin, proactive methods that help prevent the network from being infected by ransomware through email and other channels are also relevant.
The new report takes a deep dive into all 16 campaigns carried out by the group and includes the first description of OldGremlin’s entire kill chain, from gaining initial access to encrypting data and demanding ransoms.
“OldGremlin has debunked the myth that ransomware groups are indifferent to Russian companies. According to our data, the gang’s track record includes almost twenty attacks with multi-million ransom demands, with large companies becoming their preferred targets more often,” says Ivan Pisarev, Head of Dynamic Malware Analysis Team at Group-IB. “Despite the fact that OldGremlin has been focusing on Russia so far, they should not be underestimated elsewhere. Many Russian-speaking gangs started off by targeting companies in post-Soviet space and then switched to other geographies. By publishing the first threat report about OldGremlin we want to help security professionals better track OldGremlin and eliminate the risks of incidents involving the gang.”
