A new ransomware threat actor has emerged using the code name “OldGremlin.” The group is responsible for at least nine ransomware attacks since March of this year. To date, they have only attacked prominent Russian businesses ranging from medical labs to software developers. OldGremlin is using custom backdoors (TinyPosh and TinyNode) and ransomware (TinyCrypt, a.k.a decr1pt). They have displayed tactics indicating they are very familiar with social engineering and often use current events to increase the credibility of their attacks. The threat actors used zip file attachments in email messages purporting to be an invoice to deliver the malware. Even though Windows Defender detected and deleted the malware file just 20 seconds after execution, that was all the time it took to install persistent hooks that gave attackers unfettered and undetected remote access. After exploring the victim network and gaining access to administrator credentials, the threat group deployed ransomware over a weekend that affected hundreds of computers and wiped out all the backup files.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in