A new ransomware threat actor has emerged using the code name “OldGremlin.” The group is responsible for at least nine ransomware attacks since March of this year. To date, they have only attacked prominent Russian businesses ranging from medical labs to software developers. OldGremlin is using custom backdoors (TinyPosh and TinyNode) and ransomware (TinyCrypt, a.k.a decr1pt). They have displayed tactics indicating they are very familiar with social engineering and often use current events to increase the credibility of their attacks. The threat actors used zip file attachments in email messages purporting to be an invoice to deliver the malware. Even though Windows Defender detected and deleted the malware file just 20 seconds after execution, that was all the time it took to install persistent hooks that gave attackers unfettered and undetected remote access. After exploring the victim network and gaining access to administrator credentials, the threat group deployed ransomware over a weekend that affected hundreds of computers and wiped out all the backup files.
Many believe that the members of OldGremlin are primarily Russian speakers due to the businesses they have attacked. Additionally, it is likely they are operating in an environment they are comfortable in before going global. Like many threat actors, OldGremlin uses phishing campaigns in order to gain a foothold into a network. It is important for every organization to constantly remind employees of its security protocols and how to detect phishing emails. Backup files should be kept safely offline so that intruders cannot delete them as part of ransomware operations.