Written by Joe Warminsky
Medical labs, banks, manufacturers and software developers in Russia are the prime targets for a new ransomware gang that began operating with custom tools as early as March of this year, according to researchers at the security vendor Group-IB.
The attackers insert their hacking tools into networks via malware downloaded through spearphishing emails, then encrypt files and hold them ransom for about $50,000, Group IB says. The group, dubbed OldGremlin, has only targeted Russian companies so far, Group-IB says.
It’s rare for a Russian-speaking ransomware group to aim at targets inside Russia but there are precedents, according to Group-IB senior digital forensics analyst Oleg Skulkin, who identified the hacking groups Silence and Cobalt as previous perpetrators.
“What distinguishes OldGremlin from other Russian-speaking threat actors is their fearlessness to work in Russia,” Skulkin said. “This indicates that the attackers are either fine-tuning their techniques benefiting from home advantage before going global … or they are representatives of some of Russia’s neighbors who have a strong command of Russian.” Many of those former Soviet bloc neighbors have tense relationships with Moscow.
OldGremlin’s tools and tactics
The most recent successful attack identified by Group-IB, which has offices in Singapore and Moscow, was against a clinical diagnostics laboratory in August. The attackers faked an email from RBC, Russia’s biggest media holding company, with “Invoice” as the subject. The victim clicked a link that downloaded a .zip archive that contained a “unique custom backdoor” that Group-IB is calling TinyNode. The custom backdoor, dubbed TinyPosh, allowed for the downloading of additional malware, including Cobalt Strike, “laterally and obtain authentication data of domain administrator,” Group-IB says.
The ransomware came later. “Several weeks after the attack’s launch, the cybercriminals deleted server backups before encrypting the victim’s network with the help of TinyCryptor ransomware (aka decr1pt), which is also OldGremlin’s brainchild,” Group-IB reports. Both tools appear to be new, the researchers say. The attackers demanded $50,000 in cryptocurrency and gave a ProtonMail address as a contact.
Besides RBC, OldGremlin has mimicked a variety of entities in its spearphishing emails, including the Russian microfinance organizations MIR and Edinstvo, a dental clinic, a legal office and a Belarus Tractor Works plant.