The Group-IB cyber threat data collection system has identified a new attack by the OldGremlin cyber group against a healthcare company in Russia. Cybercriminals gained access to her entire network and successfully encrypted it. The requirement is $ 50,000 in ransom.
The attackers from OldGremlin are a group of Russian-speaking hackers who attack only Russian organizations. Their victims can be organizations from the financial, industrial, medical and software segment.
Group-IB says that this year, starting from the second quarter, a group of cybercriminals carried out at least nine email attacks on behalf of the self-regulatory organization Microfinance and Development, an industrial and metallurgical holding, Minsk Tractor Plant, RBC and other well-known companies.
Group-IB Threat Intelligence specialists investigated this incident and in August some details of the successful OldGremlin hacker attack became known. A large medical company with a network of regional branches fell victim to a group of hackers.
Details of OldGremlin hacker attack
The attack began with phishing emails written under the guise of the RBC media holding. Thanks to the self-written TinyNode backdoor that performed the bootloader option, the attackers were able to download and run the rest of the virus software. The launched software package helped establish remote access to the infected PC. Prepared for data gathering and intelligence, the recruited PC set the stage for subsequent online advancement.
After 2-3 weeks OldGremlin, having completely gained access to the “network”, deleted copies of the backup data from the servers so that the medical company would not be able to “roll back” and restore normal operation. On a weekend day, the TinyCryptor virus was spread in a couple of hours, spreading to the entire organization’s network and encrypting data on work PCs.
The result is obvious – the work of all departments of the organization stopped. Cybercriminals requested $ 50,000 from the company to continue working as usual. Naturally, the equivalent to a cryptocurrency account.
Who are OldGremlin?
It is noted that OldGremlin is a unique Russian-speaking group that makes structured, well-thought-out attacks on banks and companies in the Russian Federation, using sophisticated tactics and techniques for hacking and data encryption. And they do this in spite of the unwritten rule “do not work according to RU”.
To draw an analogy with other groups “working” for foreign targets, OldGremlin is classified under the heading “Big Game Hunting”, which brings together ransomware operators working with big money.
The main grouping tool was phishing emails, but the approach to each of the victim companies was fundamentally different:
- In early April, they started using the COVID-19 theme;
- Then they qualitatively forged mailings from organizations familiar to all;
- Since the end of August, they have used a new bait – “Belarusian protests” and have already organized mailings on behalf of OJSC MTZ.
Fortunately, many dangerous emails were detected by the detection of complex cyberattacks (TDS) by Group-IB.
Head of Threat Research at Group-IB in Europe, Rustam Mirkasymov, commented:
Since there is no established channel of communication between the companies opposing cybercriminals, and political tensions in the world contribute, this is revealed in the formation of criminal organizations capable of performing fraudulent activities and feeling comfortable and safe. Also, such attacks are allowed due to the lack of protective measures in the business for the timely identification and elimination of virus software.