23 September 2020

Big Game Hunting comes to Big Country: Group-IB detects series of ransomware attacks by OldGremlin

Group-IB, a global threat hunting and intelligence company headquartered in Singapore, has detected a successful attack by a ransomware gang, codenamed OldGremlin. The Russian-speaking threat actors are relatively new to the Big Game Hunting. Since March, the attackers have been trying to conduct multistage attacks on large corporate networks of medical labs, banks, manufacturers, and software developers in Russia. The operators use a suite of custom tools with the ultimate goal of encrypting files in the infected system and holding it for a ransom of about $50,000.

The first successful attack of OldGremlin, known to Group-IB team, has been detected in August. Group-IB Threat Intelligence team has also collected evidence of earlier campaigns dating back to the spring of this year. The group has targeted only Russian companies so far, which was typical for many Russian-speaking adversaries, such as Silence and Cobalt, at the beginning of their criminal path. Using Russia as a testing ground, these groups then switched to other geographies to distance themselves from vicious actions of the victim country’s police and decrease the chances of ending behind the bars.

Unsought invoice

As the initial vector of their attacks, OldGremlin use spearphishing emails, to which the group adopted creative approach. They, in particular, utilized the names of actually existing senders and, in one instance, sent out emails in several stages, making the victims think that they are arranging an interview with a journalist of a popular Russian business newspaper. In other instances, the gang exploited the COVID-19 theme and anti-government rallies in Belarus in their phishing emails.

The most recent successful attack, known to Group-IB Threat Intelligence team, took place in August when OldGremlin targeted a clinical diagnostics laboratory operating throughout the country. The analysis of the incident revealed that the ransomware attack started with a phishing email sent on behalf of Russia’s major media holding company, with the «Invoice» subject. In their email, OldGremlin informed the recipient of their inability to contact the victim’s colleague highlighting the urgency to pay the bill, the link to which was included in the text body. By clicking the link, the victim downloaded a ZIP-archive that contained a unique custom backdoor, dubbed TinyNode. The backdoor downloads and installs additional malware on the infected machine.

The cybercriminals then used the remote access to the victim’s computer, obtained with the help of TinyNode, as a foothold for network reconnaissance, gathering data and lateral movement in the victim’s network. As part of post-exploitation activities, OldGremlin used Cobalt Strike to move laterally and obtain authentication data of domain administrator.

Several weeks after the attack’s launch, the cybercriminals deleted server backups before encrypting the victim’s network with the help of TinyCryptor ransomware (aka decr1pt), which is also OldGremlin’s brainchild. When the work of the company’s regional branches had been paralyzed, they demanded about $50,000 in cryptocurrency. As a contact email, the threat actors gave an email registered with ProtonMail.

Up-to-date phishing

Group-IB Threat Intelligence experts have also detected other phishing campaigns carried out by the group, with the first of them having occurred in late March — early April. Back then, the group sent out emails to financial organizations from an email that mimicked that of a Russian microfinance organization, providing the recipients with the guidelines on how to organize safe remote work during the COVID-19. It was the first time when OldGremlin used their other custom backdoor — TinyPosh, which allows the attackers to download additional modules form their C2. To hide their C&C server, OldGremlin resorted to Cloudflare Workers server.

Two weeks after the above-mentioned malicious mailing, OldGremlin, keeping up with the urgent agenda, sent out emails with the subject «All-Russian study of the banking and financial sectors during the pandemic» purported to be from a real-life journalist with a major Russian media holding. The sender then asked for an online interview and schedule it with the Calendly and informed them that the questions for the interview had been uploaded to a cloud platform. As it was the case with their first campaigns, the link downloaded a custom TinyPosh Trojan.

Fig. 1 Phishing email sent on behalf of a Belarusian plant

Another round of phishing emails by OldGremlin was detected by CERT-GIB on August 19, when the group sent out messages exploiting the issue of protests in Belarus. The email that claimed to be from the CEO of the Minsk Tractor Works plant informed its partners of the fact that the enterprise was being probed by the country’s prosecutor’s office due to its participation in the anti-government protests and asked them to send missing documents. The list of the necessary documents was reportedly attached to the email, an attempt to download it, however, let TinyPosh into the user’s computer. Between May and August, Group-IB detected nine campaigns conducted by the group.

What distinguishes OldGremlin from other Russian-speaking threat actors is their fearlessness to work in Russia. This indicates that the attackers are either fine-tuning their techniques benefiting from home advantage before going global, as it was the case with Silence and Cobalt, or they are representatives of some of Russia’s neighbors who have a strong command of Russian. Amid global tensions, cybercriminals have learned to navigate the political agenda, which gives us grounds to suggest that the attackers might come from some of the post-Soviet countries Russia has controversy or weak ties with.

Oleg Skulkin

Oleg Skulkin

Senior Digital Forensics analyst

Despite the vim, showed by ransomware operators recently, there is still a number of measures that can be taken to fight off ransomware attacks. They include, among others, using multifactor authentication, complex passwords for the accounts used for access via RDP and changing them regularly, restricting the list of IP addresses that can be used to make external RDP connections, and etc. Relevant threat intelligence and proactive approach to threat hunting are paramount in building resilient infrastructure. Implementing Group-IB Threat Detection System allows to hunt for advanced on both network and host levels.

Group-IB is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigation of high-tech crimes and intellectual property protection, headquartered in Singapore. The company’s threat intelligence and research centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), Europe (Amsterdam), and Russia (Moscow).

Group-IB’s Threat Intelligence & Attribution system has been named one of the best in class by Gartner, Forrester, and IDC. Group-IB’s Threat Hunting Framework (earlier known as TDS) intended for the proactive search and the protection against complex and previously unknown cyberthreats has been recognized as one of the leaders in Network Detection and Response by the leading European analyst agency KuppingerCole Analysts AG, while Group-IB itself has been recognized as a Product Leader and Innovation Leader. Gartner identified Group-IB as a Representative Vendor in Online Fraud Detection for its Fraud Hunting Platform. In addition, Group-IB was granted Frost & Sullivan’s Innovation Excellence award for its Digital Risk Protection (DRP), an Al-driven platform for identifying and mitigating digital risks and counteracting brand impersonation attacks with the company’s patented technologies at its core.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 18 years of hands-on experience in cybercrime investigations worldwide and 70,000 hours of cybersecurity incident response accumulated in our leading forensic laboratory, high-tech crime investigations department, and round-the-clock CERT-GIB. Group-IB is a partner of Europol.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.

Report an incident

Get 24/7 incident response assistance from our global team

APAC: +65 3159-3798
Europe: +31 20 226-90-90
EMA: +971 4 508 1605

Thank you for filling out the form! We will get back to you shortly.

We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.

Report an incident