OldGremlin, which targets Russia, debuts new Linux ransomware

OldGremlin, which targets Russia, debuts new Linux ransomware

Image:
OldGremlin, which targets Russia, debuts new Linux ransomware

It is one of the few ransomware groups in the world that prefer to target Russian organisations, but this may change experts advise

Russian-speaking ransomware gang OldGremlin, which unusually targets Russian entities, is now using file-encrypting malware to target Linux machines.

That's according to the cybersecurity company Group-IB which on Thursday published what it claims to be the first comprehensive report on OldGremlin ransomware group, also referred to as TinyScouts.

Group-IB researchers say they have been monitoring OldGremlin and its tactics, techniques, and procedures (TTPS) ever since the first attacks attributed to the gang in March 2020.

This year, Group-IB discovered that OldGremlin targeted a Linux system using a Go variant of the TinyCrypt ransomware that the gang uses to encrypt Windows devices.

According to the researchers, the Linux version uses the AES algorithm with the CBC block cypher mode to encrypt files with a 256-bit key, much like its Windows equivalent.

The encrypted files, including those with the extensions .RAW, .CSV, .IMG, .ISO, SQL, and .TAR are appended with the .crypt extension.

OldGremlin has targeted 16 businesses since March 2020, which is a relatively low number in comparison to some of the more widespread ransomware gangs.

However, the group seems to have been more ambitious in terms of ransom demands.

The highest ransom demand from Russian entities has come from OldGremlin; in 2021, their maximum ransom demand amounted to $4.2 million, while in 2022, it skyrocketed to $16.9 million.

The year 2020 was OldGremlin's most active year. That year, the gang carried out dozens of campaigns, using emails that appeared to come from microfinance businesses such as Edinstvo and MIR, as well as a metals and mining company, a factory owned by Belarus Tractor Works, a dental clinic, and many more.

In August 2020, Group-IB detected an attack against a medical lab. The attack began with a phishing email that allegedly came from RosBiznesConsulting (RBC), Russia's biggest media holding company.

The group ran a single but very successful campaign in 2021; the phishing emails in that campaign purported to come an association of online retailers.

OldGremlin has run five campaigns so far this year, masquerading as tax and legal services, payment system, an IT firm, and more.

Before deploying the ransomware, the gang spends an average of 49 days inside target networks, meaning that defenders have a chance to contain the attack if their detection and response are effective.

According to Group-IB, OldGremlin meticulously examines its victims. As a result, the requested ransom is often in line with the size and income of the organisation.

The group usually takes long breaks after each successful attack.

While OldGremlin presently prefers to target businesses located in Russia, Group-IB warns that the ransomware gang may expand its geographical reach and target entities located in other countries in future.

"OldGremlin has debunked the myth that ransomware groups are indifferent to Russian companies," says Ivan Pisarev, Head of Dynamic Malware Analysis Team at Group-IB.

"Despite the fact that OldGremlin has been focusing on Russia so far, they should not be underestimated elsewhere. Many Russian-speaking gangs started off by targeting companies in post-Soviet space and then switched to other geographies."