A major medical company in Russia was targeted by the criminal group OldGremlin. The attackers demanded $50,000 in cryptocurrency for decrypting the corporate network’s data. This was reported by Group-IB specialists.
The Trojan entered the company’s network through a phishing email allegedly written by a journalist from the RBC media holding.
“The attackers used a self-written backdoor TinyNode, which allows downloading and launching malicious programs. With its help, the attackers gained remote access to the infected victim’s computer, through which they continued to move laterally through the organization’s network,” – said Group-IB.
Several weeks later the attackers deleted the organization’s backups to make data restoration impossible. From the same server they deployed the ransomware TinyCryptor to hundreds of computers across the corporate network and demanded a cryptocurrency ransom.
“In the cybercriminal milieu, there is an unwritten ban on working with Russian companies, but OldGremlin, consisting of Russian-speaking hackers, is actively attacking exactly them — banks, industrial enterprises, medical organizations and software developers,” the specialists noted.
The first OldGremlin attack was recorded in late March – early April 2020. According to Group-IB experts, since spring 2020 OldGremlin has conducted at least nine campaigns sending malicious emails allegedly on behalf of the Microfinance Union ‘MiR’, the Russian metallurgical holding, ‘Minsk Tractor Works’, a dental clinic, the RBC media holding, and others.
Earlier ForkLog reported that the operators of the Bitcoin ransomware LockBit published stolen data of U.S. residents.
Subscribe to ForkLog news on Telegram: ForkLog Feed — the full news feed, ForkLog — the most important news and polls.