Security researchers detected a dangerous and widespread attack against companies in Russia, the hacking group behind is known as OldGremlin. The targets are prolific companies in different sectors, and the hackers appear to be using different ransomware and related malware as their weapons of choice.
Russian Companies Targeted By Ransomware Campaign Orchestrated by OldGremlin Hacking Group
Russian companies have become the target of a new devastating wave of ransomware attacks. This news came out of several reports indicating that the intrusions are related and tracked down to a single hacking group. It is called OldGremlin, and it is believed that it is organized by a very experienced collective. The target companies are from essential sectors of the industry: financial institutions (including banks), manufacturing, software developers, and medical laboratories.
The first attacks have been tracked to have started back in March this year. According to the known information, the campaigns have been several; the first successful intrusion was done on August 11 against a clinical laboratory. This shows that hackers are continuously monitoring and updating their strategy to find a weakness. One of the speculations is that the criminals use Russian targets as a test before switching to another country. It appears that the hackers are using a sophisticated attack method with multiple malware. The main goal is to deliver complex ransomware to the targeted companies’ internal networks. They will encrypt target users’ data and then extort the victims for a decryption payment.
OldGremlin Hacking Group and Their Infiltration Tactics
The mechanism used by the hackers is not the simple brute force approach and automatic virus deployment, which is commonly observed by most criminal groups. Instead the group uses custom-designed Trojans which are programmed to deliver additional payloads to the target computers. Two of the detected ones are TinyNode and TinyPosh.
One of the first mechanisms used to intrude onto a given network is to send out a phishing email message, which impersonates as an invoice sent by the RBC Group, one of the major media groups in Russia. Depending on the attack campaign, the message contents may change to scam the recipients into believing that it comes from a financial institution, a partner company, dental clinics, customers, etc. One of the widespread campaigns made use of COVID-19 themed messages, which were a very effective mechanism for delivering malware.
The contents of the messages will contain either a link or an attached file to deliver the Trojans mentioned above. They will execute their built-in sequences; in the end, the local client agent will establish a secure connection to the hacker-controlled servers. This persistent connection allows the criminals to overtake control of the machines, spy on the victims, and install the relevant ransomware.
The attacks by the hacking group continue with different campaigns and attack models. By all means, the hackers’ attitude shows that they will continue with their efforts and attempt to intrude onto other networks as well.