Ransomware gang targets Russian businesses in rare coordinated attacks

Security firm Group-IB says it identified a new cybercrime group that, for the past six months, has repeatedly and intentionally targeted Russian businesses with malware and ransomware attacks.

Named OldGremlin, Group-IB says the hackers are behind targeted attacks with a new strain ransomware called TinyCryptor (aka decr1pt).

"They have been trying to target only Russian companies so far," Oleg Skulkin, Group-IB's senior DFIR analyst, told ZDNet this week.

"This is very unusual for Russian-speaking gangs who have this unspoken rule about not working within Russia and post-Soviet countries."

How attacks unfold

OldGremlin attacks usually begin with spear-phishing emails carrying malware-laced ZIP files, which will usually infect the victim org with a backdoor trojan named TinyNode. This grants the attackers an initial foothold on the company's network, where the hackers spread laterally to other systems and then deploy the ransomware in the final stage of their attacks.

Once a network is encrypted, the OldGremlin crew usually asks for around $50,000 in ransom payments using messages left on infected systems and leading back to a ProtonMail address.

Skulkin says Group-IB has identified the OldGremlin group in August, but the group's attacks date back to March, with their phishing emails using a wide variety of lures, ranging from posing as journalists looking for an interview to using the anti-government rallies in Belarus as a conversation starter.

As Skulkin noted, attacks against Russian entities are rare but have happened before. Usually, groups like Silence and Cobalt started small in Russia before expanding operations outward, to nearby countries first, and then to targets all over the world.

"If they are Russian, then it'd be unusual but not unheard of. Just a few weeks ago, we noticed an Initial Access Broker offering an RCE for a Russian bank on a Russian-speaking forum, and MagBo offers multiple webshells on Russian websites," KELA product manager Raveed Laeb, told ZDNet in an interview this week.

"There is also a possibility that they're not Russian but do operate out of CIS countries - for example, anti-Russian Ukrainian nationals probably have a double incentive for attacking Russian entities, both financial and ideological," Laeb added.