OldGremlin Hacker Group Expanded Toolkit With Dedicated Linux Ransomware

It appears that 16 malicious campaigns have been carried out by a Russian-speaking ransomware group called OldGremlin (aka TinyScouts). 

A combination of these campaigns was launched by the operators over the course of two and a half years targeting the organizations that are operating within the transcontinental Eurasian nation.

The cybersecurity analysts at Group-IB affirmed that there are very few cybercrime groups that are directly driven by financial motivations like OldGremlin, which in particular attacks Russian companies as a first priority.

It has been confirmed that members of the group are using self-made malware to carry out their malicious attacks and have been operating this gang illegally since March 2020.

Also Read: Ransomware Attack Response and Mitigation Checklist

Victims

It is clear that the group has a broad range of victims, which includes companies in a number of sectors, including:-

• Banks
• Logistics
• Manufacturing companies
• Insurance firms
• Retailers
• Real estate developers
• Software companies

It was reported by Group-IB to GBHackers that OldGremlin conducted five malicious campaigns in 2022 under the guise of the following entities:-

• Tax & legal services companies
• Payment systems
• IT companies

The OldGremlin ransomware group runs only a few campaigns per year, but, they demand millions of dollars in ransom for hefty financial gain.

A phishing email campaign was carried out by this group in 2020, followed by another excellent attack in 2021 in the form of a highly successful phishing email campaign. During 2022, the group launched five more ransom schemes, reaching a record amount of $16.9 million in ransom demands.

In order to study their victims thoroughly, OldGremlin conducts extensive research and analysis. Therefore, average ransoms are proportional to the size of the company and how much revenue they generate.

Dedicated Linux Ransomware

The operators of the OldGremlin gang used a Go variant of the TinyCrypt ransomware group to target and encrypt the Linux systems.

While TinyCrypt used it to target the systems running Windows operating system. There is no difference between the Linux variant and its Windows counterpart in terms of functionality. 

To encrypt files with the Linux variant, a 256-bit key is used together with the CBC block cipher mode that is encrypted using the RSA-2048 asymmetric cryptosystem to generate an encrypted key using the AES algorithm.

In order to keep abreast of the latest cybersecurity trends, the threat actor keeps up with the latest technology.

As a result, the newly developed methods were also effectively combined with tried-and-tested penetration tools like Cobalt Strikes to achieve their goals.

Using the Ultimate Packer (UPX) program, the malware executable is wrapped inside a shell script and the files that are encrypted are appended with the .crypt extension.

Group-IB identified exploitation of Cisco AnyConnect vulnerabilities as one of the methods used by attackers to escalate privileges. OldGremlin developed several Tiny frameworks that allow attacks to be conducted more easily.

In an average scenario, a ransomware attack takes place 49 days after the attackers gain access to the victim’s network.

There are a variety of tools that the group has developed for its own use, including:-

• TinyCrypt ransomware
• Credential extractors
• Malicious LNK files
• TinyPosh
• TinyNode
• TinyFluff
• TinyShell
• Reconnaissance tool
• AV bypassing tool
• Isolation tool

The list of tools clearly depicts how highly skilled the OldGremlin threat actors are. Apart from this, the attackers plan their attack in such a complicated way that their victims are left with no choice, instead paying the ransom demanded.

Managed DDoS Attack Protection for Applications – Download Free Guide