More Russian Organizations Feeling Ransomware PainDharma, Crylock and Thanos Most Active, OldGremlin Most Greedy, Researchers Find
One of the cybersecurity realities of living in Russia has historically been not having to worry much about ransomware.
Russian cybercrime syndicates typically follow two rules for avoiding domestic jail time: Don't attack inside Russia or its neighboring allies, and do the occasional favor for the intelligence services.
Ransomware groups are no exception. To ensure that affiliates don't aim crypto-locking malware against Russian targets, operators typically design their malicious code to query if a system uses a Cyrillic keyboard or appears to be based in Russia. If so, the malware won't execute.
Good as their language exception has been to Russian organizations, it's not perfect - and increasingly not the case, given findings from threat intelligence firm Group-IB that ransomware attacks on Russian businesses and government organizations have doubled over the last year. Culprits include Dharma, Crylock and Thanos.
Most Russian victims receive a ransom demand in exchange for decrypting a victim's data. The average demand in 2021 was $1.6 million, Group-IB reports. Unlike other parts of the world, victims in Russia don't typically get extorted with a threat that data will get leaked via a dedicated data leak site, it says.
OldGremlin Still at Work
One group actively targeting Russian organizations is OldGremlin, aka TinyScouts. Its origin is unknown, but its members are Russian speakers.
One thing besides its language that makes OldGremlin stand out is the high bar it sets for ransom payments. The group practices big game hunting, which is seeking large targets in pursuit of bigger ransom payoffs. "The average ransom demanded by OldGremlin amounts to $1.7 million, and the highest ransom to date reached $16.9 million," Group-IB says, adding that nearly 20 organizations are known to have received multimillion-dollar ransom demands from the group. It also takes a long break after conducting a successful attack.
In 2020, Group-IB tracked 10* campaigns being run by the group in which it used spear-phishing emails claiming to have come from a variety of different organizations, including the Russian card payment system MIR, Moscow-based media group RosBiznesConsulting, legal offices and dental clinics. The phishing emails typically arrive with a piece of software designed to download backdoors to install additional malware on a system (see: Ransomware Danger: Russian-Speaking Gang Targets Russians).
In 2021, the group only ran a single known campaign, using Yandex email addresses, "impersonating an association of online retailers," which Group-IB says amassed a number of victims. This year, the gang has already been tied to five known campaigns.
Like other hands-on-keyboard ransomware groups - referring to attackers manually attempting to gain persistence inside a targeted network and escalate their privileges, after malware has given them an initial foothold - OldGremlin uses a variety of tools and tactics, including targeting known flaws in endpoint security software, stealing VPN certificates, and using the red-teaming software Cobalt Strike as well as legitimate remote-control software TeamViewer, Group-IB says (see: Block This Now: Cobalt Strike and Other Red-Team Tools).
Quality, Not Quantity?
Successful past ransomware operations, including GandCrab, REvil - aka Sodinokibi, LockBit and Conti, among others, have typically relied on high volumes of attacks, often perpetrated by affiliates, to maximize profits for as long as they can keep the operation running.
But attacks tied to OldGremlin appear to have peaked in 2020, although the operation remains active. What might account for the decline?
"In the early days of their career, they most likely attempted to break into as many organizations as they could, and naturally, most of their campaigns occurred in 2020," Ivan Pisarev, head of the dynamic malware analysis team at Group-IB, tells me.
"Once they obtained access, they had to explore and move further within the networks they were able to compromise," he says. "Probably, the gang didn't have enough members to move laterally within multiple networks at a time and they were busy throughout the whole of 2021 reaping the benefits of their 2020 phishing campaigns."
Or perhaps as the operators of OldGremlin gained experience, they opted to be more selective. "It is also possible that initially they were trying and testing the efficiency of different initial attack vectors," Pisarev says, "and at some point realized that spear-phishing is more effective than massive phishing campaigns with multiple recipients."
In other words, less can be more - especially for big game hunting, in which a few successful ransom payoffs can mean massive riches.
Of course, there's likely nothing keeping OldGremlin from expanding its horizons, especially if its operators decide that looking abroad might be a better "stay out of jail" strategy. "Despite the fact that OldGremlin has been focusing on Russia so far, they should not be underestimated," Pisarev says. "Many Russian-speaking gangs started off by targeting companies in the post-Soviet space and then switched to other geographies."
*Oct. 21, 2022 11:24 UTC: This story has been updated after Group-IB clarified that its reference to having tracked "dozens" of OldGremin campaigns in 2020 was a typo, and should have referred instead to 10 campaigns that year.