OldGremlin: ransomware gang getting on Russia's bad side

Updated on: 20 October 2022

Jurgita Lapienytė
Chief Editor

The Russian-speaking gang carried out 16 malicious campaigns in just two years and a half. They are mainly extorting Russian entities but looking to explore new geographies in the future.

For the second year in a row, OldGremlin demanded the highest ransom from Russian companies: the largest ransom amounted to $4.2 million in 2021, and this year, it soared to $16.9 million, cybersecurity company Group-IB said.

Russia has been turning a blind eye to cybercriminal gangs, given they primarily target American entities.

However, this paradigm has begun to shift, Group-IB said. In 2021, the number of ransomware attacks on Russian organizations more than doubled, and OldGremlin is among the most notorious ransomware gangs targeting the region.

“OldGremlin has debunked the myth that ransomware groups are indifferent to Russian companies,” says Ivan Pisarev, Head of the Dynamic Malware Analysis Team at Group-IB. “Despite the fact that OldGremlin has been focusing on Russia so far, they should not be underestimated elsewhere.”

The gang has launched 16 attacks, targeting banks, logistics, manufacturing, insurance, real estate, and software companies. In 2020, it went after an arms manufacturer.

“Unlike other ransomware operators involved in Big Game Hunting, OldGremlin tends to take long breaks after successful attacks,” Group-IB said.

Researchers noted that OldGremlin deployed phishing to gain initial access and exploited the sentiments surrounding COVID-19, remote work, and sanctions. They faked interview requests, commercial proposals, and financial documents to trick their victims into downloading malicious files.

OldGremlin was observed targeting Windows-based networks, but their most recent attacks show that their arsenal included ransomware dedicated to Linux.

“The threat actor is up to date on the latest trends in cybersecurity and successfully combines new methods with tried-and-tested tools such as Cobalt Strike and open-source frameworks (e.g., PowerSploit). One of the privilege escalation methods identified by Group-IB was the exploitation of Cisco AnyConnect vulnerabilities. To facilitate attacks, OldGremlin developed an entire Tiny framework and then improved it with each new campaign,” Group IB said, sharing the report based on a deep dive into all 16 campaigns.