Ransomware groups go after a new target: Russian organizations

In many ransomware incidents, Russia-linked actors often play the role of attacker rather than the victim.

But in recent weeks, cyberattacks have crippled Russian companies and disrupted government agencies.

Late last month, a ransomware gang by the name of OldGremlin targeted Russian companies with two phishing campaigns, according to new research by cybersecurity firm Group-IB. OldGremlin “masquerad[ed] as representatives of a Russian financial organization,” warning their targets about new sanctions that would shut down Visa and Mastercard payment systems in the region.

The email then granted OldGremlin remote entry into the system through a malicious file using a backdoor dubbed “TinyFluff” which the gang updated from a previous backdoor called “TinyNode.” Once the attacker is in the system and has access to system data, the target receives a ransom note. Group-IB said one of the potential victims was a mining company.

Another prolific ransomware gang called NB65 has been working to thwart Russian operations including the attack on the state-owned television and radio broadcasting network, VGTRK in which they supposedly stole 900,000 emails and 4,000 files. The group’s most sophisticated and recent attack happened in March when they used the leaked source code from the Conti Ransomware gang — a Russia-linked threat actor — to make unique ransomware for each Russian target. 

SSK Gazregion LLC is going to have a rough Sunday.

We suggest you check your machines. They're struggling.

And what kind of chincy ass soviet connection are you guys using? You know how long it took us to exfil?!?

Fuck Vladimir Putin. Fuck the Russian Military. pic.twitter.com/BZDMPb0JxN

— NB65 (@xxNB65) April 3, 2022

And earlier in March, MalwareHunterTeam disclosed a sample of a new malware called ‘RURansom’ which does not operate as ransomware, but rather as a wiper destroying all encrypted files, according to the IT research firm TrendMicro. It is unclear who the specific targets of the malware are or will be, but the code does make clear the intention: “President Vladimir Putin declared war on Ukraine. To counter this, I, the creator of RU_Ransom, created this malware to harm Russia,” as translated by TrendMicro research. 

Russia’s history of cyber espionage and hacking is extensive, making the country’s cyberintelligence force one of the most dangerous in the world. For years, Russia has executed numerous cyberattacks against organizations from the U.S., Ukraine, Estonia, Germany, Norway, and elsewhere. — one of the first being “Moonlight Maze” in 1996, which infiltrated the systems of various U.S. government agencies and stole classified information.

Since then, Russia has fine-tuned its cyber espionage skills — using known cybercriminals and cybercriminal gangs as nation-state weapons. Absorbing some of the most dangerous hackers into the Russian Intelligence Agency (SVR) has allowed the Kremlin to control cyber op teams and mobilize them quickly. Russia’s cyber threat paired with the government’s current state of instability has prompted cybersecurity leaders everywhere to issue warnings calling for organizations and businesses to revise cyber defense protocols.