{"id":358594,"date":"2025-08-28T11:21:37","date_gmt":"2025-08-28T05:51:37","guid":{"rendered":"https:\/\/www.technologyforyou.org\/?p=358594"},"modified":"2025-08-28T11:21:37","modified_gmt":"2025-08-28T05:51:37","slug":"kaspersky-reports-the-return-of-russian-speaking-ransomware-group-oldgremlin","status":"publish","type":"post","link":"https:\/\/www.technologyforyou.org\/kaspersky-reports-the-return-of-russian-speaking-ransomware-group-oldgremlin\/","title":{"rendered":"Kaspersky reports the return of Russian-speaking ransomware group OldGremlin"},"content":{"rendered":"<p class=\"ArticleBody_date__rpGhG\">Kaspersky Threat Research has identified new attacks by the Russian-speaking ransomware group OldGremlin in early 2025, signaling the return of an operation that targets manufacturing, healthcare, retail and technology firms and once demanded nearly $17 million from a single victim.<\/p>\n<div class=\"ArticleBody_articleContainer__Sz0LX\">\n<div class=\"ArticleBody_articleBody__gN8bN\">\n<div class=\"ArticleBody_content__tiVdv ArticleBody_withContentAbove__RyYxL\">\n<p>The activity matches the group\u2019s past playbook and, for the first time, the malicious actor appears to have used the \u201cOldGremlin\u201d name in their own materials, showing up in ransom notes and file paths. The toolkit turns off key Windows protections to run the group\u2019s own driver and relies on Node.js to run commands.<\/p>\n<p>Kaspersky researchers identified that the OldGremlin toolkit has four main parts. A remote-access backdoor lets the attackers control infected computers. A \u201cpatcher\u201d abuses a flaw in a legitimate Windows driver to switch off a protection that normally blocks unsigned drivers, it then loads the group\u2019s malicious driver to shut down security tools. A file-encrypting program, \u201cmaster,\u201d as well as \u201cpatcher,\u201d can run as standalone executables or as Node.js add-ons; when queried locally (localhost:8010), \u201cmaster\u201d reports the current encryption status so the attackers can track progress. A final tool, \u201cclosethedoor,\u201d isolates the device from the network during the encryption process, drops the ransom notes, and cleans up traces.<\/p>\n<p><em>\u201cThe OldGremlin group has evolved its toolset which contains a backdoor, an EPP\/EDR killer, and an encryption trojan. The threat actors also use legitimate tools and vulnerable drivers in their attacks. To counter this kind of activity and other advanced threats, we recommend the Kaspersky Next product line, which offers real-time protection along with EDR and XDR capabilities that organizations can scale as their security needs grow,<\/em>\u201d said Yanis Zinchenko, Threat Research, Kaspersky.<\/p>\n<p>Kaspersky links the 2025 incidents to OldGremlin through consistent tactics and a reused cryptographic public key that also appeared in earlier campaigns, pointing to the same operators. Targets this year include organizations in manufacturing, technology, retail and health care. The group is known for long dwell times, about 49 days, before encrypting files and has issued large ransom demands in the past, including a $16.9 million case in 2022. Kaspersky also observed command-and-control servers reachable on the public internet.<\/p>\n<p>Kaspersky products detect this ransomware as Trojan-Ransom.Win64.OldGremlin, Backdoor.JS.Agent.og, HEUR:Trojan.JS.Starter.og and HEUR:Trojan-Ransom.Win64.Generic.<\/p>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Kaspersky Threat Research has identified new attacks by the Russian-speaking ransomware group OldGremlin in early 2025, signaling the return of an operation that targets manufacturing, healthcare, retail and technology firms and once demanded nearly $17 million from a single victim. The activity matches the group\u2019s past playbook and, for the first time, the malicious actor [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14083],"tags":[],"class_list":{"0":"post-358594","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-technology-industry-news"},"_links":{"self":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/posts\/358594","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/comments?post=358594"}],"version-history":[{"count":0,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/posts\/358594\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/media?parent=358594"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/categories?post=358594"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/tags?post=358594"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}