Russian-speaking group OldGremlin attacks Russian companies and banks

[Brother]

Experts from the information security company Group-IB spoke about a new Russian-speaking cybercriminal group that has repeatedly and purposefully attacked Russian companies and organizations using malware and ransomware over the past six months.

According to experts, the group called OldGremlin uses a new type of ransomware TinyNode in its attacks, which acts as a primary downloader that allows you to download and run other malicious programs.

OldGremlin attacks usually start with targeted phishing. The emails contain malware-infected ZIP files that are commonly installed on the systems of organizations that are victims of the TinyNode backdoor Trojan. In this way, attackers infiltrate the company's networks and begin to roam to other systems, and then deploy ransomware at the end of their attacks.

Having encrypted the company's data, OldGremlin criminals usually demand a ransom of about $ 50,000 to decrypt the information.

Experts from Group-IB identified the OldGremlin grouping in August this year, but the attacks date back to March. In their phishing emails, the criminals used a variety of baits, ranging from posing as journalists to using anti-government rallies in Belarus as a topic of conversation. OldGremlin carried out at least nine malicious campaigns to send phishing emails allegedly on behalf of the MiR Union of Microfinance Organizations, the Russian metallurgical holding, the Belarusian MTZ plant, a dental clinic, and the RBK media holding.

Russian hackers have an unwritten rule not to work in Russia and post-Soviet countries. OldGremlin is the only currently active Russian-speaking group-operator of the ransomware, which, despite the "unspoken ban", carries out multi-stage targeted attacks on Russian companies and banks using sophisticated tactics and techniques.