Big Game Hunting comes
toBig Country: Group-IB
detects series
ofransomware attacks
byOldGremlin
https://www.group-ib.com/media-center/press-releases/oldgremlin/
Page 1 of 9

Media Center → Press Releases September 23, 2020 · 6 min to read
Managed XDR OldGremlin Oleg Skulkin Threat Intelligence
Group-IB, aglobal threat hunting and intelligence company headquartered inSingapore, has
detected asuccessful attack byaransomware gang, codenamed OldGremlin. The Russian-speaking
threat actors are relatively new tothe Big Game Hunting. Since March, the attackers have been
trying toconduct multistage attacks onlarge corporate networks ofmedical labs, banks,
manufacturers, and software developers inRussia. The operators use asuite ofcustom tools with
the ultimate goal ofencrypting files inthe infected system and holding itfor aransom ofabout
$50,000.
The first successful attack ofOldGremlin, known toGroup-IB team, has been detected inAugust.
Group-IB Threat Intelligence team has also collected evidence ofearlier campaigns dating back
tothe spring ofthis year. The group has targeted only Russian companies sofar, which was typical
for many Russian-speaking adversaries, such asSilence and Cobalt, atthe beginning oftheir
criminal path. Using Russia asatesting ground, these groups then switched toother geographies
todistance themselves from vicious actions ofthe victim country’s police and decrease the chances
ofending behind the bars.
Unsought invoice
https://www.group-ib.com/media-center/press-releases/oldgremlin/
Page 2 of 9

As
the initial vector oftheir attacks, OldGremlin use spearphishing emails, towhich the group
adopted creative approach. They, inparticular, utilized the names ofactually existing senders and,
inone instance, sent out emails inseveral stages, making the victims think that they are arranging
aninterview with ajournalist ofapopular Russian business newspaper. Inother instances, the gang
exploited the COVID-19 theme and anti-government rallies inBelarus intheir phishing emails.
The most recent successful attack, known toGroup-IB Threat Intelligence team, took place
inAugust when OldGremlin targeted aclinical diagnostics laboratory operating throughout the
country. The analysis ofthe incident revealed that the ransomware attack started with aphishing
email sent onbehalf ofRussia’s major media holding company, with the «Invoice» subject. Intheir
email, OldGremlin informed the recipient oftheir inability tocontact the victim’s colleague
highlighting the urgency topay the bill, the link towhich was included inthe text body. Byclicking
the link, the victim downloaded aZIP-archive that contained aunique custom backdoor, dubbed
TinyNode. The backdoor downloads and installs additional malware onthe infected machine.
The cybercriminals then used the remote access tothe victim’s computer, obtained with the help
ofTinyNode, asafoothold for network reconnaissance, gathering data and lateral movement inthe
victim’s network. Aspart ofpost-exploitation activities, OldGremlin used Cobalt Strike tomove
laterally and obtain authentication data ofdomain administrator.
Several weeks after the attack’s launch, the cybercriminals deleted server backups before
encrypting the victim’s network with the help ofTinyCryptor ransomware (aka decr1pt), which isalso
OldGremlin’s brainchild. When the work ofthe company’s regional branches had been paralyzed,
they demanded about $50,000 incryptocurrency. Asacontact email, the threat actors gave
anemail registered with ProtonMail.
Up-to-date phishing
Group-IB Threat Intelligence experts have also detected other phishing campaigns carried out
bythe group, with the first ofthem having occurred inlate March— early April. Back then, the
group sent out emails tofinancial organizations from anemail that mimicked that ofaRussian
microfinance organization, providing the recipients with the guidelines onhow toorganize safe
remote work during the COVID-19. Itwas the first time when OldGremlin used their other custom
https://www.group-ib.com/media-center/press-releases/oldgremlin/
Page 3 of 9

backdoor
— TinyPosh, which allows the attackers todownload additional modules form their C2.
Tohide their C&Cserver, OldGremlin resorted toCloudflare Workers server.
Two weeks after the above-mentioned malicious mailing, OldGremlin, keeping upwith the urgent
agenda, sent out emails with the subject «All-Russian study ofthe banking and financial sectors
during the pandemic» purported tobefrom areal-life journalist with amajor Russian media holding.
The sender then asked for anonline interview and schedule itwith the Calendly and informed them
that the questions for the interview had been uploaded toacloud platform. Asitwas the case with
their first campaigns, the link downloaded acustom TinyPosh Trojan.
Fig.1Phishing email sent onbehalf ofaBelarusian plant
Another round ofphishing emails byOldGremlin was detected byCERT-GIB onAugust19, when
the group sent out messages exploiting the issue ofprotests inBelarus. The email that claimed
tobefrom the CEO ofthe Minsk Tractor Works plant informed its partners ofthe fact that the
enterprise was being probed bythe country’s prosecutor’s office due toits participation inthe anti-government protests and asked them to
send missing documents. The list ofthe necessary
documents was reportedly attached tothe email, anattempt todownloadit, however, let TinyPosh
into the user’s computer. Between May and August, Group-IB detected nine campaigns conducted
bythe group.
Oleg Skulkin
Senior Digital Forensics analyst
What distinguishes OldGremlin from other Russian-speaking threat actors
istheir fearlessness towork inRussia. This indicates that the attackers are
either fine-tuning their techniques benefiting from home advantage before
going global, asitwas the case with Silence and Cobalt, orthey are
representatives ofsome ofRussia’s neighbors who have astrong command
ofRussian. Amid global tensions, cybercriminals have learned tonavigate the
https://www.group-ib.com/media-center/press-releases/oldgremlin/
Page 4 of 9

political agenda, which gives
us grounds tosuggest that the attackers might
come from some ofthe post-Soviet countries Russia has controversy orweak
ties with.
Despite the vim, showed byransomware operators recently, there isstill anumber ofmeasures that
can betaken tofight off ransomware attacks. They include, among others, using multifactor
authentication, complex passwords for the accounts used for access via RDP and changing them
regularly, restricting the list ofIP addresses that can beused tomake external RDP connections,
and etc. Relevant threat intelligence and proactive approach tothreat hunting are paramount
inbuilding resilient infrastructure. Implementing Group-IB Managed Extended Detection and
Response (MXDR)allows tohunt for advanced onboth network and host levels.
Share article
https://www.group-ib.com/media-center/press-releases/oldgremlin/
Page 5 of 9

About Group-IB
Founded in 2003 and headquartered in Singapore, Group-IB is a leading creator of cybersecurity
technologies to investigate, prevent, and fight digital crime. Combating cybercrime is in the
company’s DNA, shaping its technological capabilities to defend businesses, citizens, and support
law enforcement operations.
Group-IB’s Digital Crime Resistance Centers (DCRCs) are located in the Middle East, Europe, Central
Asia, and Asia-Pacific to help critically analyze and promptly mitigate regional and country-specific
threats. These mission-critical units help Group-IB strengthen its contribution to global cybercrime
prevention and continually expand its threat-hunting capabilities.
Group-IB’s decentralized and autonomous operational structure helps it offer tailored,
comprehensive support services with a high level of expertise. We map and mitigate adversaries’
tactics in each region, delivering customized cybersecurity solutions tailored to risk profiles and
requirements of various industries, including retail, healthcare, gambling, financial services,
manufacturing, crypto, and more.
The company’s global security leaders work in synergy with some of the industry’s most advanced
technologies to offer detection and response capabilities that eliminate cyber disruptions agilely.
Group-IB’s Unified Risk Platform (URP) underpins its conviction to build a secure and trusted
cyber environment by utilizing intelligence-driven technology and agile expertise that completely
detects and defends against all nuances of digital crime. The platform proactively protects
organizations’ critical infrastructure from sophisticated attacks while continuously analyzing
potentially dangerous behavior all over their network.
The comprehensive suite includes the world’s most trusted Threat Intelligence, The most complete
Fraud Protection, AI-powered Digital Risk Protection, Multi-layered protection with Managed
Extended Detection and Response (XDR), All-infrastructure Business Email Protection, and External
Attack Surface Management.
Furthermore, Group-IB’s full-cycle incident response and investigation capabilities have consistently
elevated industry standards. This includes the 77,000+ hours of cybersecurity incident response
completed by our sector-leading DFIR Laboratory, more than 1,400 successful investigations
completed by the High-Tech Crime Investigations Department, and round-the-clock efforts of
CERT-GIB.
Time and again, its solutions and services have been revered by leading advisory and analyst
agencies such as Aite Novarica, Gartner®, Forrester, Frost & Sullivan, KuppingerCole Analysts AG,
and more.
Being an active partner in global investigations, Group-IB collaborates with international law
enforcement organizations such as INTERPOL, EUROPOL and AFRIPOL to create a safer
https://www.group-ib.com/media-center/press-releases/oldgremlin/
Page 6 of 9

cyberspace. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3)
Advisory Group on Internet Security, which was created to foster closer cooperation between
Europol and its leading non-law enforcement partners.
Read next
March 19, 2026
Group-IB
Partners with
Copy Cat Group
to Strengthen
Intelligence-Led
Cybersecurity
Across East
Africa
March 13, 2026
Group-IB
Supports
INTERPOL’s
Operation
Synergia III,
Contributing
Intelligence to
Global
Cybercrime
Takedown
March 12, 2026
Group-IB
Expands into the
Americas with
Launch of Digital
Crime Resistance
Center in Chile
March 3, 2026
Group-IB and
Nebrija
University
Strengthen
Cybersecurity
Education
Through MOU
and Threat
Intelligence
Integration
https://www.group-ib.com/media-center/press-releases/oldgremlin/
Page 7 of 9

February 26, 2026
Group-IB
Partners with
Savex
Technologies to
Advance
Predictive Threat
Intelligence and
Cyber Fraud
Protection
Across India and
SAARC
February 16, 2026
National
Polytechnic
University of
Armenia and
Group-IB sign
strategic
partnership to
strengthen
cybersecurity
education and
research in
Armenia
Go to all Press Releases →
Resources
Research Hub
Success Stories
Knowledge Hub
Certificates
Webinars
Podcasts
TOP Investigations
Ransomware Notes
AI Cybersecurity Hub
Products
Threat Intelligence
Fraud Protection
Managed XDR
Attack Surface Management
Digital Risk Protection
Business Email Protection
Cyber Fraud Intelligence
Platform
Unified Risk Platform
Integrations
Partners
Partner Program
Company
About Group-IB
https://www.group-ib.com/media-center/press-releases/oldgremlin/
Page 8 of 9

MSSP and MDR Partner
Program
Technology Partners
Partner Locator
Team
CERT-GIB
Careers
Internship
Academic Aliance
Sustainability
Media Center
Contact
APAC: +65 3159 3798
EU & NA: +31 20 226 90 90
MEA: +971 4 568 1785
info@group-ib.com
© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers
around the world by preventing breaches, eliminating fraud and protecting brands.
Terms of Use Cookie Policy Privacy Policy
Subscription plans Services Resource Center
Subscribe to stay up to date with the
latest cyber threat trends
Contact
https://www.group-ib.com/media-center/press-releases/oldgremlin/
Page 9 of 9