Group-IB: in 2022, OldGremlin hackers demanded a record ransom of 1 billion rubles

The OldGremlin hacker group, made up of Russian-speaking hackers, ran 16 ransom campaigns in two and a half years to obtain a ransom for decrypting data. According to a report by IT company Group-IB, extortionists demand record amounts from victims for the second year in a row. In 2022, the buyback amount reached 1 billion rubles, in 2021 – 250 million rubles.

The OldGremlin hackers used phishing emails to gain access to the data. The topic of the mailings was related to the current agenda (pandemic, remote work, anti-Russian sanctions), the text of the letter contained a request for an interview, a commercial offer or a financial document. This allowed attackers to force recipients to click on links and download malicious files. The geography of organizations attacked by OldGremlin is limited to Russia.

In 2020, OldGremlin sent ten emails ostensibly on behalf of microfinance organizations, a metallurgical holding, the Belarusian plant MTZ, and RBC media holding. In 2021, hackers conducted only one campaign on behalf of the Association of Internet Trade, in 2022 – five – allegedly from the services “Consultant Plus”, “1C-Bitrix”, a payment system, etc.

The victims of the hacker group were banks, logistics, industrial and insurance companies, as well as retailers, developers, companies specializing in software development. In 2020, OldGremlin attacked a Russian arms factory. According to Group-IB estimates, the average amount of the required buyout of the group is about 100 million rubles.

OldGremlin’s activity was first noticed by Group-IB analysts in March 2020. It was later described in detail in blog “OldGremlin’s Big Hunt: Ransomware Operators Attack Large Russian Companies and Banks”.