Ransomware groups attack a new target: Russian organizations

In many ransomware incidents, Russian-linked actors often play the role of attacker rather than victim.

But in recent weeks, cyberattacks have crippled Russian businesses and disrupted government agencies.

Late last month, a ransomware gang by the name of OldGremlin targeted Russian companies with two phishing campaigns, according to new research from cybersecurity firm Group-IB. Masquerade OldGremlin[ed] as representatives of a Russian financial organization,” warning their targets of new sanctions that would shut down Visa and Mastercard payment systems in the region.

The email then granted OldGremlin remote entry into the system via a malicious file using a backdoor called “TinyFluff” which the gang updated from a previous backdoor called “TinyNode”. Once the attacker is in the system and has access to system data, the target receives a ransom note. Group-IB said one of the potential victims was a mining company.

Another prolific ransomware gang called NB65 has worked to thwart Russian operations, including the attack on the state-owned radio and television network, VGTRK in which they allegedly stole 900,000 emails and 4,000 files. The most sophisticated and newest of the group offensive happened in March when they used leaked source code from the Conti Ransomware gang – a Russian-linked threat actor – to create unique ransomware for each Russian target.

And earlier in March, MalwareHunterTeam leaked a sample of new malware called “RURansom” which does not work as ransomware, but rather as a windshield wiper destroying all encrypted files, according to computer research firm TrendMicro. It is unknown who the specific targets of the malware are or will be, but the code clearly indicates the intent: “President Vladimir Putin has declared war on Ukraine. To counter this, I, the creator of RU_Ransom, created this malware to harm Russia,” as translated by TrendMicro research.

Russia’s history of cyber espionage and hacking is long, making the country’s cyber intelligence force one of the most dangerous in the world. For years, Russia has executed numerous cyberattacks against organizations in the United States, Ukraine, Estonia, Germany, Norway, and elsewhere. – one of the first being “Moonlight Maze” in 1996, which infiltrated the systems of various US government agencies and stole classified information.

Since then, Russia has honed its skills in cyber espionage using known cybercriminals and gangs of cybercriminals as weapons of the nation-state. The absorption of some of the most dangerous hackers into the Russian Intelligence Agency (SVR) allowed the Kremlin to control cyber operations teams and mobilize them quickly. The cyber threat from Russia coupled with the current state of government instability has prompted cybersecurity officials around the world to issue warnings calling on organizations and companies to revise cyber defense protocols.

Emma Vail is a writing intern for The Record. She is currently studying Anthropology and Women, Gender, and Sexuality at Northeastern University. After creating her own blog in 2018, she decided to embark on journalism and deepen her experience by joining the team.

Comments are closed.