HQ/EMEAFind out how we can help your business
A ransomware group primarily targeting Russian organisations called OldGremlin has reportedly expanded its malware toolkit to attack Linux OS computers. The Russian-speaking members of the ransomware group have used their self-made malware variant since March 2020 to attack Russian companies, including the sectors of logistics, insurance, retail, financial, IT, and real estate.
The small number of yearly attack campaigns of the OldGremlin ransomware, dubbed TinyScouts, involves the group demanding multi-million-dollar ransom from their victims. There were five identified attacks performed by OldGremlin this year, although with the small number of campaigns is a total of $16.9 million ransom demand that the group had collected from their victims within two years of activity.
Since the ransomware group’s initial activities in March 2020, experts said OldGremlin possessed sophisticated attack TTPs.
In one of the spotted campaigns of the group this year, security researchers found a compromised Linux computer infected with TinyCrypt ransomware’s Go-lang variant, which OldGremlin uses in encrypting Windows machines.
According to the researchers, the group’s ransomware works the same when used on Linux and Windows machines. These variants encrypt files with a 256-bit key via the AES algorithm with the CBC block cypher mode, also encrypted with the RSA-2048 asymmetric cryptosystem.
The encrypted files in attacks are appended with [.]crypt extensions, such as .RAW, .ZST, .CSV, .IMG, .ISO, SQL, TAR, TGZ, .DAT, .GZ, and .DUMP, via the Ultimate Packer tool (UPX).
Furthermore, the group’s campaigns mostly revolve around phishing schemes impersonating popular companies to trick their victims. The researchers noticed that the OldGremlin gang had changed their malware delivery in one of their operations this year, tricking victims into downloading a malicious document from a file-sharing platform instead of distributing the initial stage payload directly via a malicious file.
With OldGremlin’s malware toolkit being expanded for more advanced attacks, researchers stated that the group is now equipped with a reconnaissance tool, malicious LNK files, backdoors, data extracting tool, an anti-detection tool, a tool that can isolate a device from a connected network, and the TinyCrypt ransomware.
From this closer look at the group’s TTPs, the researchers explained that OldGremlin leaves their victims with no other option but to pay the ransom demands regardless of its towering price. With about 16 total attacks counted from OldGremlin ransomware, it is no doubt that the group executes powerful campaigns that result in them profiting multi-millions from their victims.
