OldGremlin Extortionists Resume Attacks on Russian Companies

Kaspersky Lab researchers have reported a new wave of attacks by the extortion group OldGremlin, targeting Russian companies in the first half of 2025. Eight large enterprises—mostly in the industrial sector—were affected, along with organizations in healthcare, retail, and IT.

Background on OldGremlin

The group first appeared five years ago and is known for using advanced tactics, techniques, and procedures (TTPs). OldGremlin operators are patient: they typically remain inside compromised networks for an average of 49 days before deploying ransomware.

The group was previously active from 2020 to 2022 and last observed in 2024. Past ransom demands reached extraordinary sums—one case involved nearly $17 million USD.

Updated Toolkit in 2025

Researchers note that OldGremlin’s latest campaign features an upgraded toolkit. Among the changes:

• Exploiting a vulnerability in a legitimate driver to disable security software
• Using the Node.js interpreter (a legitimate JavaScript runtime environment) to run malicious scripts
• Delivering ransomware that both encrypts files and reports status updates back to the attackers

Interestingly, the group has also started “branding” its attacks. Ransom messages now use the name OldGremlins—a variation of the label originally given to them by researchers.

Attack Chain

The 2025 extortion campaign begins with phishing emails and progresses through several custom tools:

1. Backdoor Deployment – Provides remote access and full control of infected devices.
2. Driver Exploit – Disables Windows protection and installs a malicious driver.
3. Ransomware Execution – Encrypts files and communicates status updates to the operators.
4. Final Stage Tool – Displays the ransom note, erases traces of malicious activity, and disconnects the device from the network to complicate forensic investigations.

Expert Commentary

“The threat actors have returned with an enhanced toolkit—this once again underscores how important it is for companies to constantly monitor attackers’ techniques and tactics to avoid becoming victims,” said Yanis Zinchenko, cybersecurity expert at Kaspersky Lab. “In 2025, the group not only resumed its activities—it also adopted the name previously given to it by cybersecurity experts, effectively announcing itself.”