OldGremlin Ransomware Targeted Over a Dozen Russian Entities in Multi-Million Scheme

A Russian-speaking ransomware group dubbed OldGremlin has been attributed to 16 malicious campaigns aimed at entities operating in the transcontinental Eurasian nation over the course of two and a half years.

“The group’s victims include companies in sectors such as logistics, industry, insurance, retail, real estate, software development, and banking,” Group-IB said in an exhaustive report shared with The Hacker News. “In 2020, the group even targeted an arms manufacturer.”

In what’s a rarity in the ransomware landscape, OldGremlin (aka TinyScouts) is one of the very few financially motivated cybercrime gangs that primarily focuses on Russian companies.

Other notable groups consist of Dharma, Crylock, and Thanos, contributing to an uptick in ransomware attacks targeting businesses in the country by over 200% in 2021.

OldGremlin first came to light in September 2020 when the Singapore-headquartered cybersecurity company disclosed nine campaigns orchestrated by the actor between May and August. The first attack was detected in early April 2020.

In all, the group is said to have conducted 10 phishing email campaigns in 2020, followed by one highly successful attack in 2021 and five more in 2022, with ransom demands touching a record $16.9 million.

“OldGremlin thoroughly studies their victims,” Group-IB explained. “The demanded ransom is therefore often proportional to the company’s size and revenue and is obviously higher than the budget necessary for ensuring a suitable level of information security.”

Known to mainly target enterprise networks running on Windows, attacks mounted by OldGremlin have leveraged phishing emails masquerading as tax and legal services companies to dupe victims into clicking on fraudulent links and downloading malicious files, allowing the attackers to worm their way inside the networks.

“The threat actors often pose as well-known companies, including the media group RBC, the legal assistance system Consultant Plus, the company 1C-Bitrix, the Russian Union of Industrialists and Entrepreneurs, and Minsk Tractor Works,” Group-IB said.

Upon gaining an initial foothold, OldGremlin moves to establish persistence by creating scheduled tasks, gaining elevated privileges using Cobalt Stroke, and even flaw in Cisco AnyConnect (CVE-2020-3153 and CVE-2020-3433), while also gaining remote access to the compromised infrastructure using tools such as TeamViewer.

Some of the aspects that make the crew stand out from other ransomware groups is that it doesn’t rely on double extortion to coerce targeted companies into paying up despite exfiltrating the data. It has also been observed taking long breaks after each successful attack.

What’s more, the average dwell time until ransomware deployment has been pegged at 49 days, well above the reported 11 day median dwell time, suggesting extended efforts on part of the actor to examine the breached domain (which is achieved using a tool called TinyScout).

OldGremlin’s most recent phishing wave occurred on August 23, 2022, with emails embedding links pointing to a ZIP archive payload hosted on Dropbox to activate the killchain.

These archive files, in turn, harbor a rogue LNK file (dubbed TinyLink) that downloads a backdoor called TinyFluff, which is one among the four implants used by the group: TinyPosh, TinyNode, and TinyShell, before deleting data backups and dropping the .NET-based TinyCrypt ransomware.

• TinyPosh: A PowerShell trojan engineered to collect and transfer sensitive information about the infected system to a remote server, and launch additional PowerShell scripts.
• TinyNode: A backdoor that runs the Node.js interpreter to execute commands received from a command-and-control (C2) server over the Tor network.
• TinyFluff: A successor to TinyNode, which is used as the primary downloader for receiving and running malicious scripts.

Also put to use by OldGremlin are other tools such as TinyShot, a console utility for capturing screenshots, TinyKiller, which kills antivirus processes via a bring your own vulnerable driver (BYOVD) attack targeting gdrv.sys and RTCore64.sys drivers.

It’s worth noting that the operators behind the BlackByte ransomware group were also recently found leveraging the same flaw in the RTCore64.sys driver to turn off security solutions in the hacked machines.

One other unusual application used by OldGremlin in its attacks is a .NET console app called TinyIsolator, which temporarily cuts off the host from the network by disabling network adaptors prior to executing the ransomware.

On top of that, the group’s malware arsenal encompasses a Linux version of TinyCrypt, which is written in GO and launched after deleting .bash_history files, changing user passwords to limit access to the compromised host, and disabling SSH.

“OldGremlin has debunked the myth that ransomware groups are indifferent to Russian companies,” Ivan Pisarev, head of dynamic malware analysis team at Group-IB, said.

“Despite the fact that OldGremlin has been focusing on Russia so far, they should not be underestimated elsewhere. Many Russian-speaking gangs started off by targeting companies in post-Soviet space and then switched to other geographies.”