- Aug 17, 2014
A new ransomware group has been targeting large corporate networks using self-made backdoors and file-encrypting malware for the initial and final stages of the attack.
Researchers are tracking the gang using the codename OldGremlin. Their campaigns appear to have started in late March and have not expanded globally, yet.
Attacks attributed to this group have been identified only in Russia but there is a strong suspicion that OldGremlin is currently operating at smaller scale to fine-tune their tools and techniques before going global.
OldGremlin is using custom backdoors (TinyPosh and TinyNode) and ransomware (TinyCrypt, a.k.a decr1pt) along with third-party software for reconnaissance and lateral movement (Cobalt Strike, command line screenshot, NirSoft’s Mail PassView for email password recovery).
The gang is not picky about victims as long they are prominent businesses in Russia (medical labs, banks, manufacturers, software developers), indicating that it’s composed of Russian-speaking members.
The threat actor starts its attacks with spear phishing emails that deliver custom tools for initial access. They use valid names for the sender address, impersonating well-known individuals.
Researchers at Singapore-based cybersecurity company Group-IB says that in one attack against a bank OldGremlin sent out an email under the pretense of setting up an interview with a journalist at a popular business newspaper. [...]