Malware is the tool that a new ransomware group – OldGremlin, uses in its ransomware attacks. They target mainly large corporate networks and use self-made backdoors and file-encrypting malware.
Malware from Russia, against Russian companies?
Strangely, the group that has been active since March, targets mainly Russian companies.
The new group seems to be very inventive. For instance, one member managed to trick a bank employee that he was a real journalist and also scheduled an interview. But, just before the interview, the group tricked the clerk to open a link that should have contained the interview questions. Instead, it delivered a Trojan.
In fact, for the first and last phase of the attacks, the group uses self-made backdoors and also file-encrypting malware. The group then come with its own ransomware – “TinyCryptor” and own backdoors – “TinyPosh” and “TinyNode”.
Then they use the Cobalt Strike penetration testing software, after they manage to make their way to the network.
This is how it started
The first malware attack that ended successfully happened in August and targeted a medical company.
The hackers sent an email to an employee, with the title “Bill due”. He clicked on a link inside the message and downloaded an attached ZIP archive.
Windows Defender detected and deleted the malware, but only after 20 seconds. This time was enough for the Trojan to affect the system. Three weeks after, all the employees were greeted with the message: “Your files have been enctrypted.”
According to the Group-IB, in order to decrypt the files, the OldGremlin group asked for a ransomware of $50,000 dollars worth of cryptocurrency.
Oleg Skulkin, from Group-IB, mentioned that the group violates “the unspoken rule about not working within Russia and post-Soviet countries.”
So, Skulkin believes that the group can be classed as part of the Big Game Hunting, that “brings together ransomware operators targeting large corporate networks.”