Ransomware groups go after a new target: Russian organizations

In many ransomware incidents, Russia-linked actors often play the role of attacker rather than the victim.

But in recent weeks, cyberattacks have crippled Russian companies and disrupted government agencies.

Late last month, a ransomware gang by the name of OldGremlin targeted Russian companies with two phishing campaigns, according to new research by cybersecurity firm Group-IB. OldGremlin “masquerad[ed] as representatives of a Russian financial organization,” warning their targets about new sanctions that would shut down Visa and Mastercard payment systems in the region.

The email then granted OldGremlin remote entry into the system through a malicious file using a backdoor dubbed “TinyFluff” which the gang updated from a previous backdoor called “TinyNode.” Once the attacker is in the system and has access to system data, the target receives a ransom note. Group-IB said one of the potential victims was a mining company.

Another prolific ransomware gang called NB65 has been working to thwart Russian operations including the attack on the state-owned television and radio broadcasting network, VGTRK in which they supposedly stole 900,000 emails and 4,000 files. The group’s most sophisticated and recent attack happened in March when they used the leaked source code from the Conti Ransomware gang — a Russia-linked threat actor — to make unique ransomware for each Russian target. 

And earlier in March, MalwareHunterTeam disclosed a sample of a new malware called ‘RURansom’ which does not operate as ransomware, but rather as a wiper destroying all encrypted files, according to the IT research firm TrendMicro. It is unclear who the specific targets of the malware are or will be, but the code does make clear the intention: “President Vladimir Putin declared war on Ukraine. To counter this, I, the creator of RU_Ransom, created this malware to harm Russia,” as translated by TrendMicro research. 

Russia’s history of cyber espionage and hacking is extensive, making the country’s cyberintelligence force one of the most dangerous in the world. For years, Russia has executed numerous cyberattacks against organizations from the U.S., Ukraine, Estonia, Germany, Norway, and elsewhere. — one of the first being “Moonlight Maze” in 1996, which infiltrated the systems of various U.S. government agencies and stole classified information.

Since then, Russia has fine-tuned its cyber espionage skills — using known cybercriminals and cybercriminal gangs as nation-state weapons. Absorbing some of the most dangerous hackers into the Russian Intelligence Agency (SVR) has allowed the Kremlin to control cyber op teams and mobilize them quickly. Russia’s cyber threat paired with the government’s current state of instability has prompted cybersecurity leaders everywhere to issue warnings calling for organizations and businesses to revise cyber defense protocols.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Emma Vail

Emma Vail is an editorial intern for The Record. She is currently studying anthropology and women, gender, and sexuality at Northeastern University. After creating her own blog in 2018, she decided to pursue journalism and further her experience by joining the team.