{ "id": "24514797-9766-46e2-937e-957595f42da1", "created_at": "2026-04-06T00:06:12.817362Z", "updated_at": "2026-04-10T03:35:29.165274Z", "deleted_at": null, "sha1_hash": "bbb20decfbb6eed202a4e67be4cb4ce74d5ea035", "title": "Group-IB detects series of ransomware attacks by OldGremlin | Group-IB", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 111979, "plain_text": "Big Game Hunting comes\r\ntoBig Country: Group-IB\r\ndetects series\r\nofransomware attacks\r\nbyOldGremlin\r\nhttps://www.group-ib.com/media-center/press-releases/oldgremlin/\r\nPage 1 of 9\n\nMedia Center → Press Releases September 23, 2020 · 6 min to read\r\nManaged XDR OldGremlin Oleg Skulkin Threat Intelligence\r\nGroup-IB, aglobal threat hunting and intelligence company headquartered inSingapore, has\r\ndetected asuccessful attack byaransomware gang, codenamed OldGremlin. The Russian-speaking\r\nthreat actors are relatively new tothe Big Game Hunting. Since March, the attackers have been\r\ntrying toconduct multistage attacks onlarge corporate networks ofmedical labs, banks,\r\nmanufacturers, and software developers inRussia. The operators use asuite ofcustom tools with\r\nthe ultimate goal ofencrypting files inthe infected system and holding itfor aransom ofabout\r\n$50,000.\r\nThe first successful attack ofOldGremlin, known toGroup-IB team, has been detected inAugust.\r\nGroup-IB Threat Intelligence team has also collected evidence ofearlier campaigns dating back\r\ntothe spring ofthis year. The group has targeted only Russian companies sofar, which was typical\r\nfor many Russian-speaking adversaries, such asSilence and Cobalt, atthe beginning oftheir\r\ncriminal path. Using Russia asatesting ground, these groups then switched toother geographies\r\ntodistance themselves from vicious actions ofthe victim country’s police and decrease the chances\r\nofending behind the bars.\r\nUnsought invoice\r\nhttps://www.group-ib.com/media-center/press-releases/oldgremlin/\r\nPage 2 of 9\n\nAs\r\nthe initial vector oftheir attacks, OldGremlin use spearphishing emails, towhich the group\r\nadopted creative approach. They, inparticular, utilized the names ofactually existing senders and,\r\ninone instance, sent out emails inseveral stages, making the victims think that they are arranging\r\naninterview with ajournalist ofapopular Russian business newspaper. Inother instances, the gang\r\nexploited the COVID-19 theme and anti-government rallies inBelarus intheir phishing emails.\r\nThe most recent successful attack, known toGroup-IB Threat Intelligence team, took place\r\ninAugust when OldGremlin targeted aclinical diagnostics laboratory operating throughout the\r\ncountry. The analysis ofthe incident revealed that the ransomware attack started with aphishing\r\nemail sent onbehalf ofRussia’s major media holding company, with the «Invoice» subject. Intheir\r\nemail, OldGremlin informed the recipient oftheir inability tocontact the victim’s colleague\r\nhighlighting the urgency topay the bill, the link towhich was included inthe text body. Byclicking\r\nthe link, the victim downloaded aZIP-archive that contained aunique custom backdoor, dubbed\r\nTinyNode. The backdoor downloads and installs additional malware onthe infected machine.\r\nThe cybercriminals then used the remote access tothe victim’s computer, obtained with the help\r\nofTinyNode, asafoothold for network reconnaissance, gathering data and lateral movement inthe\r\nvictim’s network. Aspart ofpost-exploitation activities, OldGremlin used Cobalt Strike tomove\r\nlaterally and obtain authentication data ofdomain administrator.\r\nSeveral weeks after the attack’s launch, the cybercriminals deleted server backups before\r\nencrypting the victim’s network with the help ofTinyCryptor ransomware (aka decr1pt), which isalso\r\nOldGremlin’s brainchild. When the work ofthe company’s regional branches had been paralyzed,\r\nthey demanded about $50,000 incryptocurrency. Asacontact email, the threat actors gave\r\nanemail registered with ProtonMail.\r\nUp-to-date phishing\r\nGroup-IB Threat Intelligence experts have also detected other phishing campaigns carried out\r\nbythe group, with the first ofthem having occurred inlate March— early April. Back then, the\r\ngroup sent out emails tofinancial organizations from anemail that mimicked that ofaRussian\r\nmicrofinance organization, providing the recipients with the guidelines onhow toorganize safe\r\nremote work during the COVID-19. Itwas the first time when OldGremlin used their other custom\r\nhttps://www.group-ib.com/media-center/press-releases/oldgremlin/\r\nPage 3 of 9\n\nbackdoor\r\n— TinyPosh, which allows the attackers todownload additional modules form their C2.\r\nTohide their C\u0026Cserver, OldGremlin resorted toCloudflare Workers server.\r\nTwo weeks after the above-mentioned malicious mailing, OldGremlin, keeping upwith the urgent\r\nagenda, sent out emails with the subject «All-Russian study ofthe banking and financial sectors\r\nduring the pandemic» purported tobefrom areal-life journalist with amajor Russian media holding.\r\nThe sender then asked for anonline interview and schedule itwith the Calendly and informed them\r\nthat the questions for the interview had been uploaded toacloud platform. Asitwas the case with\r\ntheir first campaigns, the link downloaded acustom TinyPosh Trojan.\r\nFig.1Phishing email sent onbehalf ofaBelarusian plant\r\nAnother round ofphishing emails byOldGremlin was detected byCERT-GIB onAugust19, when\r\nthe group sent out messages exploiting the issue ofprotests inBelarus. The email that claimed\r\ntobefrom the CEO ofthe Minsk Tractor Works plant informed its partners ofthe fact that the\r\nenterprise was being probed bythe country’s prosecutor’s office due toits participation inthe anti-government protests and asked them to\r\nsend missing documents. The list ofthe necessary\r\ndocuments was reportedly attached tothe email, anattempt todownloadit, however, let TinyPosh\r\ninto the user’s computer. Between May and August, Group-IB detected nine campaigns conducted\r\nbythe group.\r\nOleg Skulkin\r\nSenior Digital Forensics analyst\r\nWhat distinguishes OldGremlin from other Russian-speaking threat actors\r\nistheir fearlessness towork inRussia. This indicates that the attackers are\r\neither fine-tuning their techniques benefiting from home advantage before\r\ngoing global, asitwas the case with Silence and Cobalt, orthey are\r\nrepresentatives ofsome ofRussia’s neighbors who have astrong command\r\nofRussian. Amid global tensions, cybercriminals have learned tonavigate the\r\nhttps://www.group-ib.com/media-center/press-releases/oldgremlin/\r\nPage 4 of 9\n\npolitical agenda, which gives\r\nus grounds tosuggest that the attackers might\r\ncome from some ofthe post-Soviet countries Russia has controversy orweak\r\nties with.\r\nDespite the vim, showed byransomware operators recently, there isstill anumber ofmeasures that\r\ncan betaken tofight off ransomware attacks. They include, among others, using multifactor\r\nauthentication, complex passwords for the accounts used for access via RDP and changing them\r\nregularly, restricting the list ofIP addresses that can beused tomake external RDP connections,\r\nand etc. Relevant threat intelligence and proactive approach tothreat hunting are paramount\r\ninbuilding resilient infrastructure. Implementing Group-IB Managed Extended Detection and\r\nResponse (MXDR)allows tohunt for advanced onboth network and host levels.\r\nShare article\r\nhttps://www.group-ib.com/media-center/press-releases/oldgremlin/\r\nPage 5 of 9\n\nAbout Group-IB\r\nFounded in 2003 and headquartered in Singapore, Group-IB is a leading creator of cybersecurity\r\ntechnologies to investigate, prevent, and fight digital crime. Combating cybercrime is in the\r\ncompany’s DNA, shaping its technological capabilities to defend businesses, citizens, and support\r\nlaw enforcement operations.\r\nGroup-IB’s Digital Crime Resistance Centers (DCRCs) are located in the Middle East, Europe, Central\r\nAsia, and Asia-Pacific to help critically analyze and promptly mitigate regional and country-specific\r\nthreats. These mission-critical units help Group-IB strengthen its contribution to global cybercrime\r\nprevention and continually expand its threat-hunting capabilities.\r\nGroup-IB’s decentralized and autonomous operational structure helps it offer tailored,\r\ncomprehensive support services with a high level of expertise. We map and mitigate adversaries’\r\ntactics in each region, delivering customized cybersecurity solutions tailored to risk profiles and\r\nrequirements of various industries, including retail, healthcare, gambling, financial services,\r\nmanufacturing, crypto, and more.\r\nThe company’s global security leaders work in synergy with some of the industry’s most advanced\r\ntechnologies to offer detection and response capabilities that eliminate cyber disruptions agilely.\r\nGroup-IB’s Unified Risk Platform (URP) underpins its conviction to build a secure and trusted\r\ncyber environment by utilizing intelligence-driven technology and agile expertise that completely\r\ndetects and defends against all nuances of digital crime. The platform proactively protects\r\norganizations’ critical infrastructure from sophisticated attacks while continuously analyzing\r\npotentially dangerous behavior all over their network.\r\nThe comprehensive suite includes the world’s most trusted Threat Intelligence, The most complete\r\nFraud Protection, AI-powered Digital Risk Protection, Multi-layered protection with Managed\r\nExtended Detection and Response (XDR), All-infrastructure Business Email Protection, and External\r\nAttack Surface Management.\r\nFurthermore, Group-IB’s full-cycle incident response and investigation capabilities have consistently\r\nelevated industry standards. This includes the 77,000+ hours of cybersecurity incident response\r\ncompleted by our sector-leading DFIR Laboratory, more than 1,400 successful investigations\r\ncompleted by the High-Tech Crime Investigations Department, and round-the-clock efforts of\r\nCERT-GIB.\r\nTime and again, its solutions and services have been revered by leading advisory and analyst\r\nagencies such as Aite Novarica, Gartner®, Forrester, Frost \u0026 Sullivan, KuppingerCole Analysts AG,\r\nand more.\r\nBeing an active partner in global investigations, Group-IB collaborates with international law\r\nenforcement organizations such as INTERPOL, EUROPOL and AFRIPOL to create a safer\r\nhttps://www.group-ib.com/media-center/press-releases/oldgremlin/\r\nPage 6 of 9\n\ncyberspace. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3)\r\nAdvisory Group on Internet Security, which was created to foster closer cooperation between\r\nEuropol and its leading non-law enforcement partners.\r\nRead next\r\nMarch 19, 2026\r\nGroup-IB\r\nPartners with\r\nCopy Cat Group\r\nto Strengthen\r\nIntelligence-Led\r\nCybersecurity\r\nAcross East\r\nAfrica\r\nMarch 13, 2026\r\nGroup-IB\r\nSupports\r\nINTERPOL’s\r\nOperation\r\nSynergia III,\r\nContributing\r\nIntelligence to\r\nGlobal\r\nCybercrime\r\nTakedown\r\nMarch 12, 2026\r\nGroup-IB\r\nExpands into the\r\nAmericas with\r\nLaunch of Digital\r\nCrime Resistance\r\nCenter in Chile\r\nMarch 3, 2026\r\nGroup-IB and\r\nNebrija\r\nUniversity\r\nStrengthen\r\nCybersecurity\r\nEducation\r\nThrough MOU\r\nand Threat\r\nIntelligence\r\nIntegration\r\nhttps://www.group-ib.com/media-center/press-releases/oldgremlin/\r\nPage 7 of 9\n\nFebruary 26, 2026\r\nGroup-IB\r\nPartners with\r\nSavex\r\nTechnologies to\r\nAdvance\r\nPredictive Threat\r\nIntelligence and\r\nCyber Fraud\r\nProtection\r\nAcross India and\r\nSAARC\r\nFebruary 16, 2026\r\nNational\r\nPolytechnic\r\nUniversity of\r\nArmenia and\r\nGroup-IB sign\r\nstrategic\r\npartnership to\r\nstrengthen\r\ncybersecurity\r\neducation and\r\nresearch in\r\nArmenia\r\nGo to all Press Releases →\r\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nCompany\r\nAbout Group-IB\r\nhttps://www.group-ib.com/media-center/press-releases/oldgremlin/\r\nPage 8 of 9\n\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/media-center/press-releases/oldgremlin/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.group-ib.com/media-center/press-releases/oldgremlin/" ], "report_names": [ "oldgremlin" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "a060d952-fc4b-44df-bd0e-ee3606e79f83", "created_at": "2022-10-25T16:07:23.920646Z", "updated_at": "2026-04-10T02:00:04.790469Z", "deleted_at": null, "main_name": "OldGremlin", "aliases": [], "source_name": "ETDA:OldGremlin", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "TinyCryptor", "TinyNode", "TinyPosh", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "e35c1877-f6a5-4e47-8464-ddc943e3b320", "created_at": "2023-11-21T02:00:07.390198Z", "updated_at": "2026-04-10T02:00:03.476348Z", "deleted_at": null, "main_name": "OldGremlin", "aliases": [], "source_name": "MISPGALAXY:OldGremlin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433972, "ts_updated_at": 1775792129, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bbb20decfbb6eed202a4e67be4cb4ce74d5ea035.pdf", "text": "https://archive.orkl.eu/bbb20decfbb6eed202a4e67be4cb4ce74d5ea035.txt", "img": "https://archive.orkl.eu/bbb20decfbb6eed202a4e67be4cb4ce74d5ea035.jpg" } }