Home Security OldGremlin Ransomware Focused Over a Dozen Russian Entities in Multi-Million Scheme

OldGremlin Ransomware Focused Over a Dozen Russian Entities in Multi-Million Scheme

by crpt os


A Russian-speaking ransomware group dubbed OldGremlin has been attributed to 16 malicious campaigns aimed at entities operating in the transcontinental Eurasian nation over the course of two and a half years.

“The group’s victims include companies in sectors such as logistics, industry, insurance, retail, real estate, software development, and banking,” Group-IB said in an exhaustive report shared with The Hacker News. “In 2020, the group even targeted an arms manufacturer.”

In what’s a rarity in the ransomware landscape, OldGremlin (aka TinyScouts) is one of the very few financially motivated cybercrime gangs that primarily focuses on Russian companies.

Other notable groups consist of Dharma, Crylock, and Thanos, contributing to an uptick in ransomware attacks targeting businesses in the country by over 200% in 2021.

OldGremlin first came to light in September 2020 when the Singapore-headquartered cybersecurity company disclosed nine campaigns orchestrated by the actor between May and August. The first attack was detected in early April 2020.

In all, the group is said to have conducted 10 phishing email campaigns in 2020, followed by one highly successful attack in 2021 and five more in 2022, with ransom demands touching a record $16.9 million.

“OldGremlin thoroughly studies their victims,” Group-IB explained. “The demanded ransom is therefore often proportional to the company’s size and revenue and is obviously higher than the budget necessary for ensuring a suitable level of information security.”

CyberSecurity

Known to mainly target enterprise networks running on Windows, attacks mounted by OldGremlin have leveraged phishing emails masquerading as tax and legal services companies to dupe victims into clicking on fraudulent links and downloading malicious files, allowing the attackers to worm their way inside the networks.

“The threat actors often pose as well-known companies, including the media group RBC, the legal assistance system Consultant Plus, the company 1C-Bitrix, the Russian Union of Industrialists and Entrepreneurs, and Minsk Tractor Works,” Group-IB said.

Upon gaining an initial foothold, OldGremlin moves to establish persistence by creating scheduled tasks, gaining elevated privileges using Cobalt Stroke, and even flaw in Cisco AnyConnect (CVE-2020-3153 and CVE-2020-3433), while also gaining remote access to the compromised infrastructure using tools such as TeamViewer.

Some of the aspects that make the crew stand out from other ransomware groups is that it doesn’t rely on double extortion to coerce targeted companies into paying up despite exfiltrating the data. It has also been observed taking long breaks after each successful attack.

What’s more, the average dwell time until ransomware deployment has been pegged at 49 days, well above the reported 11 day median dwell time, suggesting extended efforts on part of the actor to examine the breached domain (which is achieved using a tool called TinyScout).

OldGremlin’s most recent phishing wave occurred on August 23, 2022, with emails embedding links pointing to a ZIP archive payload hosted on Dropbox to activate the killchain.

These archive files, in turn, harbor a rogue LNK file (dubbed TinyLink) that downloads a backdoor called TinyFluff, which is one among the four implants used by the group: TinyPosh, TinyNode, and TinyShell, before deleting data backups and dropping the .NET-based TinyCrypt ransomware.

  • TinyPosh: A PowerShell trojan engineered to collect and transfer sensitive information about the infected system to a remote server, and launch additional PowerShell scripts.
  • TinyNode: A backdoor that runs the Node.js interpreter to execute commands received from a command-and-control (C2) server over the Tor network.
  • TinyFluff: A successor to TinyNode, which is used as the primary downloader for receiving and running malicious scripts.

Also put to use by OldGremlin are other tools such as TinyShot, a console utility for capturing screenshots, TinyKiller, which kills antivirus processes via a bring your own vulnerable driver (BYOVD) attack targeting gdrv.sys and RTCore64.sys drivers.

CyberSecurity

It’s worth noting that the operators behind the BlackByte ransomware group were also recently found leveraging the same flaw in the RTCore64.sys driver to turn off security solutions in the hacked machines.

One other unusual application used by OldGremlin in its attacks is a .NET console app called TinyIsolator, which temporarily cuts off the host from the network by disabling network adaptors prior to executing the ransomware.

On top of that, the group’s malware arsenal encompasses a Linux version of TinyCrypt, which is written in GO and launched after deleting .bash_history files, changing user passwords to limit access to the compromised host, and disabling SSH.

“OldGremlin has debunked the myth that ransomware groups are indifferent to Russian companies,” Ivan Pisarev, head of dynamic malware analysis team at Group-IB, said.

“Despite the fact that OldGremlin has been focusing on Russia so far, they should not be underestimated elsewhere. Many Russian-speaking gangs started off by targeting companies in post-Soviet space and then switched to other geographies.”





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex