{ "id": "9527ee3c-0053-48fd-9da7-6cefc3d77984", "created_at": "2026-04-06T00:22:29.423896Z", "updated_at": "2026-04-12T02:22:34.701484Z", "deleted_at": null, "sha1_hash": "4986abc156e7e871d9102b2c761f27cdd640320a", "title": "Gremlins’ prey, secrets, and dirty tricks: the ransomware gang OldGremlin set new records | Group-IB", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 109496, "plain_text": "Gremlins’ prey, secrets, and\r\ndirty tricks: the ransomware\r\ngang OldGremlin set new\r\nrecords\r\nMedia Center → Press Releases October 20, 2022 · 4 min to read\r\nOldGremlin Phishing Ransomware Scam\r\nhttps://www.group-ib.com/media-center/press-releases/oldgremlin-2022/\r\nPage 1 of 8\n\nGroup-IB, one of the global leaders in cybersecurity, headquartered in Singapore, released a first\r\nthreat report detailing the operations of a Russian-speaking ransomware group OldGremlin:\r\n“OldGremlin Ransomware. Never ever feed them after the Locknight”. According to Group-IB,\r\nin just two years and a half, the “Gremlins” carried out 16 malicious campaigns. OldGremlin remains\r\none of the very few ransomware gangs targeting Russian companies. However, their growing\r\nambitions can push them to explore new geographies in the future. For the second year in a row,\r\nOldGremlin demanded the highest ransom from Russian organizations: in 2021 their largest ransom\r\ndemand amounted to $4.2 million, while in 2022 it soared to $16.9 million.\r\nAs usual, Group-IB’s report provides access to a set of data and detailed information about the\r\ncurrent tactics, techniques, and procedures (TTPs) used by the attackers, which are described using\r\nMITRE ATT\u0026CK®. The information provided will benefit organizations that fight cybercrime, and\r\nespecially heads of information security teams, SOC analysts, incident responders, and potential\r\nvictims who can use the information to protect their infrastructure from OldGremlin.\r\nDo not feed the Gremlins\r\nCompared to other world regions, the post-Soviet space remained a harbor safe from ransomware\r\ngroups primarily focusing on North America, Europe, Asia Pacific, and other locations. But this\r\nparadigm began to shift. According to Group-IB, last year, the number of ransomware attacks on\r\nRussian businesses increased by more than 200%. Among the most notorious ransomware gangs\r\ntargeting this region was a group called OldGremlin.\r\nOldGremlin (also known as TinyScouts) was uncovered by Group-IB Threat Intelligence team in\r\nMarch 2020 and was described in detail in September 2020 in the blog post “OldGremlin: secrets,\r\nand dirty tricks“. According to Group-IB, in two and a half years OldGremlin carried out a total of 16\r\nmalicious email campaigns.\r\nhttps://www.group-ib.com/media-center/press-releases/oldgremlin-2022/\r\nPage 2 of 8\n\nOldGremlin was most active in 2020. That year, the gang carried out ten campaigns, with emails\r\npurporting to be from microfinance companies, a metals and mining company, a tractor\r\nmanufacturer, and a business media holding. In 2021, the group carried out a single but highly\r\nsuccessful campaign: the threat actor impersonating an association of online retailers. In 2022,\r\nOldGremlin carried out five campaigns masquerading as tax and legal services companies, a\r\npayment system, an IT company, and more.\r\nThe group’s victim list includes banks, logistics, and manufacturing companies, insurance firms,\r\nretailers, real estate developers, and software companies. In 2020, the group even targeted an arms\r\nmanufacturer.\r\nAccording to Group-IB, the average ransom demanded by OldGremlin amounts to $1.7 million, and\r\nthe highest ransom to date reached $16.9 million. Unlike other ransomware operators involved in\r\nBig Game Hunting, OldGremlin tend to take long breaks after successful attacks\r\nThe craft of phishing\r\nLike most ransomware groups, OldGremlin used phishing emails to gain initial access. The use of\r\ntrending news topics (Covid-19, remote work, sanctions) together with well-crafted prepared emails\r\npresented masked as interview requests, commercial proposals, and financial documents helped the\r\nthreat actors to trick the recipients into clicking on links and downloading malicious files. Due to the\r\nhttps://www.group-ib.com/media-center/press-releases/oldgremlin-2022/\r\nPage 3 of 8\n\nmassive scale of their email campaigns, the gang was able to compromise several working stations\r\nat once, which facilitated lateral movement within the victim’s network.\r\nAlthough OldGremlin mainly targets corporate Windows-based networks, the group’s most recent\r\nattacks show that their arsenal includes dedicated ransomware for Linux. The threat actor is up to\r\ndate on the latest trends in cybersecurity and successfully combines new methods with tried-and-tested tools such as Cobalt Strike and open-source frameworks (e.g., PowerSploit). One of the\r\nprivilege escalation methods identified by Group-IB was the exploitation of Cisco AnyConnect\r\nvulnerabilities. To facilitate attacks, OldGremlin developed an entire Tiny framework and then\r\nimproved it with each new campaign.\r\nOn average, the attackers spend 49 days in the victim’s network before deploying ransomware,\r\nwhich means that in addition to reactive methods of detecting traces of OldGremlin, proactive\r\nmethods that help prevent the network from being infected by ransomware through email and other\r\nchannels are also relevant.\r\nThe new report takes a deep dive into all 16 campaigns carried out by the group and includes the\r\nfirst description of OldGremlin’s entire kill chain, from gaining initial access to encrypting data and\r\ndemanding ransoms.\r\n“OldGremlin has debunked the myth that ransomware groups are indifferent to Russian companies.\r\nAccording to our data, the gang’s track record includes almost twenty attacks with multi-million\r\nransom demands, with large companies becoming their preferred targets more often,” says Ivan\r\nPisarev, Head of Dynamic Malware Analysis Team at Group-IB. “Despite the fact that OldGremlin has\r\nbeen focusing on Russia so far, they should not be underestimated elsewhere. Many Russian-speaking gangs started off by targeting companies in post-Soviet space and then switched to other\r\ngeographies. By publishing the first threat report about OldGremlin we want to help security\r\nprofessionals better track OldGremlin and eliminate the risks of incidents involving the gang.”\r\nShare article\r\nhttps://www.group-ib.com/media-center/press-releases/oldgremlin-2022/\r\nPage 4 of 8\n\nAbout Group-IB\r\nFounded in 2003 and headquartered in Singapore, Group-IB is a leading creator of cybersecurity\r\ntechnologies to investigate, prevent, and fight digital crime. Combating cybercrime is in the\r\ncompany’s DNA, shaping its technological capabilities to defend businesses, citizens, and support\r\nlaw enforcement operations.\r\nGroup-IB’s Digital Crime Resistance Centers (DCRCs) are located in the Middle East, Europe, Central\r\nAsia, and Asia-Pacific to help critically analyze and promptly mitigate regional and country-specific\r\nthreats. These mission-critical units help Group-IB strengthen its contribution to global cybercrime\r\nprevention and continually expand its threat-hunting capabilities.\r\nGroup-IB’s decentralized and autonomous operational structure helps it offer tailored,\r\ncomprehensive support services with a high level of expertise. We map and mitigate adversaries’\r\ntactics in each region, delivering customized cybersecurity solutions tailored to risk profiles and\r\nrequirements of various industries, including retail, healthcare, gambling, financial services,\r\nmanufacturing, crypto, and more.\r\nThe company’s global security leaders work in synergy with some of the industry’s most advanced\r\ntechnologies to offer detection and response capabilities that eliminate cyber disruptions agilely.\r\nGroup-IB’s Unified Risk Platform (URP) underpins its conviction to build a secure and trusted\r\ncyber environment by utilizing intelligence-driven technology and agile expertise that completely\r\ndetects and defends against all nuances of digital crime. The platform proactively protects\r\norganizations’ critical infrastructure from sophisticated attacks while continuously analyzing\r\npotentially dangerous behavior all over their network.\r\nThe comprehensive suite includes the world’s most trusted Threat Intelligence, The most complete\r\nFraud Protection, AI-powered Digital Risk Protection, Multi-layered protection with Managed\r\nExtended Detection and Response (XDR), All-infrastructure Business Email Protection, and External\r\nAttack Surface Management.\r\nFurthermore, Group-IB’s full-cycle incident response and investigation capabilities have consistently\r\nelevated industry standards. This includes the 77,000+ hours of cybersecurity incident response\r\ncompleted by our sector-leading DFIR Laboratory, more than 1,400 successful investigations\r\ncompleted by the High-Tech Crime Investigations Department, and round-the-clock efforts of\r\nCERT-GIB.\r\nTime and again, its solutions and services have been revered by leading advisory and analyst\r\nagencies such as Aite Novarica, Gartner®, Forrester, Frost \u0026 Sullivan, KuppingerCole Analysts AG,\r\nand more.\r\nBeing an active partner in global investigations, Group-IB collaborates with international law\r\nenforcement organizations such as INTERPOL, EUROPOL and AFRIPOL to create a safer\r\nhttps://www.group-ib.com/media-center/press-releases/oldgremlin-2022/\r\nPage 5 of 8\n\ncyberspace. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3)\r\nAdvisory Group on Internet Security, which was created to foster closer cooperation between\r\nEuropol and its leading non-law enforcement partners.\r\nRead next\r\nMarch 19, 2026\r\nGroup-IB\r\nPartners with\r\nCopy Cat Group\r\nto Strengthen\r\nIntelligence-Led\r\nCybersecurity\r\nAcross East\r\nAfrica\r\nMarch 13, 2026\r\nGroup-IB\r\nSupports\r\nINTERPOL’s\r\nOperation\r\nSynergia III,\r\nContributing\r\nIntelligence to\r\nGlobal\r\nCybercrime\r\nTakedown\r\nMarch 12, 2026\r\nGroup-IB\r\nExpands into the\r\nAmericas with\r\nLaunch of Digital\r\nCrime Resistance\r\nCenter in Chile\r\nMarch 3, 2026\r\nGroup-IB and\r\nNebrija\r\nUniversity\r\nStrengthen\r\nCybersecurity\r\nEducation\r\nThrough MOU\r\nand Threat\r\nIntelligence\r\nIntegration\r\nhttps://www.group-ib.com/media-center/press-releases/oldgremlin-2022/\r\nPage 6 of 8\n\nFebruary 26, 2026\r\nGroup-IB\r\nPartners with\r\nSavex\r\nTechnologies to\r\nAdvance\r\nPredictive Threat\r\nIntelligence and\r\nCyber Fraud\r\nProtection\r\nAcross India and\r\nSAARC\r\nFebruary 16, 2026\r\nNational\r\nPolytechnic\r\nUniversity of\r\nArmenia and\r\nGroup-IB sign\r\nstrategic\r\npartnership to\r\nstrengthen\r\ncybersecurity\r\neducation and\r\nresearch in\r\nArmenia\r\nGo to all Press Releases →\r\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nCompany\r\nAbout Group-IB\r\nhttps://www.group-ib.com/media-center/press-releases/oldgremlin-2022/\r\nPage 7 of 8\n\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/media-center/press-releases/oldgremlin-2022/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.group-ib.com/media-center/press-releases/oldgremlin-2022/" ], "report_names": [ "oldgremlin-2022" ], "threat_actors": [ { "id": "a060d952-fc4b-44df-bd0e-ee3606e79f83", "created_at": "2022-10-25T16:07:23.920646Z", "updated_at": "2026-04-12T02:00:04.753495Z", "deleted_at": null, "main_name": "OldGremlin", "aliases": [], "source_name": "ETDA:OldGremlin", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "TinyCryptor", "TinyNode", "TinyPosh", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-12T02:00:04.841451Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "e35c1877-f6a5-4e47-8464-ddc943e3b320", "created_at": "2023-11-21T02:00:07.390198Z", "updated_at": "2026-04-12T02:00:03.558078Z", "deleted_at": null, "main_name": "OldGremlin", "aliases": [], "source_name": "MISPGALAXY:OldGremlin", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434949, "ts_updated_at": 1775960554, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4986abc156e7e871d9102b2c761f27cdd640320a.pdf", "text": "https://archive.orkl.eu/4986abc156e7e871d9102b2c761f27cdd640320a.txt", "img": "https://archive.orkl.eu/4986abc156e7e871d9102b2c761f27cdd640320a.jpg" } }