OldGremlin Ransomware Gang Known for Targeting Russia Launches Linux Malware

OldGremlin is a notorious ransomware group known for targeting Russian organizations and has launched a wide-scale multi-million campaign. Their targets are Russian entities, and the group demands large ransoms in return. The gang’s victims include organizations in insurance, logistics, retail, software development, real estate, and banking.

According to a report from Group-IB, OldGremlin ransomware gang is a Russian-speaking ransomware gang that has been fairly active since 2020 and around sixteen malicious campaigns have been attributed to this gang during the past two and a half years. All of these targeted Russian organizations.

Also known as TinyScouts; OldGremlin is among the few financially motivated cybercrime groups (other groups include Crylock, Dharma, and Thanos), focusing primarily on Russian entities.

So far, OldGremlin ransomware gang has conducted ten phishing email campaigns, all launched in 2020, a successful ransomware attack in 2021, and five attacks in 2022. Their ransom demands have been comparatively higher. In some cases, the group even asked for $16.9 million and netted around $30 million in illegal revenues.

Group-IB

In its debut year, 2020, the gang carried out dozens of campaigns targeting micro-finance firms, a tractor manufacturer, a metals and mining firm, and business media holding firm consecutively.

“The demanded ransom is therefore often proportional to the company’s size and revenue and is obviously higher than the budget necessary for ensuring a suitable level of information security.”

Group-IB

Campaign Details

According to Group-IB’s press release, OldGremlin has developed a new malware for Linux systems. The group poses as reputed firms such as media group RBC, Russian Union of Industrialists, 1C-Bitrix, or legal assistance provider Consultant Plus to infiltrate networks via phishing emails.

The group manages to achieve initial success via a phishing email and deploys tools like Cobalt Strike for lateral movement. It establishes persistence through the creation of scheduled tasks and obtaining escalated privileges.

It also exploits a flaw in Cisco AnyConnect (CVE-2020-3153 and CVE-2020-3433) and gains remote access to the targeted infrastructure using tools like TeamViewer. Once this is done, the group stays inside the victim’s network for around 49 days and then launches the ransomware.

Victims can contain the threat using an effective malware detection solution during this time. Group-IB noted that the most recent phishing wave assigned to OldGremlin ransomware occurred on 23 August 2022 in which phishing emails embedded links to a ZIP archive payload hosted on Dropbox for activating the killchain.

Resultantly, the archive files launch a rogue LNK file (TinyLink) for downloading a backdoor (TinyFluff). Moreover, the group uses other implants besides TinyFluff, including TinyPosh, TinyShell, TinyNode, before deleting data backups. Then it launched the .NET-based TinyCrypt ransomware.

Although the group is focused on Russian organizations, Group-IB noted that it might expand its geographical boundaries after some time.

1. New DDoS Malware ‘Chaos’ Hits Linux and Windows Devices
2. Windows, Linux and macOS Users Targeted by Chinese APT Group
3. DDoS App Meant to Hit Russia Infected Phones of Ukrainian Activists
4. President Putin’s Economic Forum Speech Delayed due to DDoS Attack
5. Feds Dismantle Russian Rsocks Botnet Powered by Millions of IoT Devices