Researchers at Group-IB, a cybersecurity firm based out of Russia that works with Interpol and Europol, are alerting companies about a new threat actor. In a blog post from researchers Rustam Mirkasymov and Oleg Skulkin, a hacker group named OldGremlin is studied in-depth as a prime instigator of ransomware attacks. OldGremlin is a group believed to be comprised entirely of native Russians, and breaking with a long-standing Russian hacker code to not attack Russia or Russian assets, is doing just that.
The primary targets of OldGremlin have been what Group-IB dubs “big-game” targets like banking institutions, hospitals, and software developers. The organization’s attack methodology, at least at its core, is described as follows by Mirkasymov and Skulkin:
Group-IB Threat Intelligence analysts established that, at the initial stage, the threat actors used a unique custom malware called TinyNode ⎯ a backdoor that downloads and launches additional malware. After gaining remote access to the victim's computer, the cybercriminals could easily perform network reconnaissance, collect valuable data, and propagate across the organization's network. Like many other groups, OldGremlin used the Cobalt Strike framework to ensure that any post-exploitation activity was as effective as possible.
After the attackers conducted reconnaissance and made sure that they were in the domain that interested them, they continued to move laterally across the network, eventually obtaining domain administrator credentials. They even created an additional account with the same privileges in case the main one was blocked.
OldGremlin primarily uses spear-phishing to ensure that their ransomware is deployed. Once they encrypt files, they demand a large cryptocurrency payoff to remove the malware. Their spear-phishing emails convincingly impersonate journalists and industry professionals (changing based on each target), easily tricking unaware victims. It appears that COVID-19’s influence on remote work is what, at least in the researchers’ opinion, caused OldGremlin to initiate their ransomware attacks.
The pandemic has been instrumental in an uptick in cybercrime, and OldGremlin is just the latest player to enter the game.
Featured image: Flickr/ Inti