October 3, 2023

A Russian-speaking ransomware group called OldGremlin involved in numerous campaigns targeting the organization that are operating in Eurasian nation.

There are very few cybercrime groups that are directly driven by financial motivations like OldGremlin, which in particular attacks Russian companies.


The members of the group are using self-made malware to carry out their malicious attacks and have been operating this gang illegally since March 2020.

The group has a broad range of victims, which includes companies in a number of sectors, including:-

  • Banks
  • Logistics
  • Manufacturing companies
  • Insurance firms
  • Retailers
  • Real estate developers
  • Software companies

The OldGremlin ransomware group runs only a few campaigns per year, but, they demand millions of dollars in ransom for hefty financial gain.

The operators of the OldGremlin gang used a Go variant of the TinyCrypt ransomware group to target and encrypt the Linux systems.

TinyCrypt used it to target the systems running Windows operating system. There is no difference between the Linux variant and its Windows counterpart in terms of functionality.

To encrypt files with the Linux varianta 256-bit key is used together with the CBC block cipher mode that is encrypted using the RSA-2048 asymmetric cryptosystem to generate an encrypted key using the AES algorithm.


The newly developed methods were also effectively combined with tried-and-tested penetration tools like Cobalt Strikes to achieve their goals.

Using the Ultimate Packer (UPX) program, the malware executable is wrapped inside a shell script and the files that are encrypted are appended with the .crypt extension.

Researchers identified exploitation of Cisco AnyConnect vulnerabilities as one of the methods used by attackers to escalate privileges. OldGremlin developed several Tiny frameworks that allow attacks to be conducted more easily.


There are a variety of tools that the group has developed for its own use, including:-

  • TinyCrypt ransomware
  • Credential extractors
  • Malicious LNK files
  • TinyPosh
  • TinyNode
  • TinyFluff
  • TinyShell
  • Reconnaissance tool
  • AV bypassing tool
  • Isolation tool

The list of tools clearly depicts how highly skilled the OldGremlin threat actors are. The attackers plan their attack in such a complicated way that their victims are left with no choice, instead paying the ransom demanded.

This research was documented by researchers from Group-IB.

Leave a Reply

%d bloggers like this: