Kaspersky Threat Research has identified new attacks by the ransomware group OldGremlin in early 2025, signaling the return of an operation that targets manufacturing, healthcare, retail and technology firms and once demanded nearly $17 million from a single victim.
The OldGremlin cyber group, identified five years ago, uses advanced techniques, tactics, and procedures to carry out attacks. Attackers can remain in a victim’s system for an extended period of time, averaging about 49 days before encrypting files. The Russian-speaking group was active from 2020 to 2022, and was last observed in 2024. In previous cases, they have demanded large ransoms, such as nearly 17 million US dollars in one instance.
In the 2025 campaign, the attackers updated their arsenal of attack tools. To gain access to the victims’ computers and encrypt their data, attackers send phishing emails and use various malicious tools. They use a backdoor to gain remote access to and control infected devices. They exploit a vulnerability in a legitimate driver to disable Windows protection and run their own malicious unsigned driver. This allows them to run ransomware. The attackers also used a legitimate Node.js platform (JavaScript runtime) to run malicious scripts. The group also began “branding” its cyberattacks, using OldGremlins – a slightly modified name that had previously been assigned to them by researchers – in ransom messages.
In the new campaign, the malware not only encrypts files but also reports the current status to intruders. Finally, the fourth tool, “closethedoor,” isolates the device from the network during the encryption process, drops the ransom notes, and cleans up traces, making it difficult to investigate the incident further.
“A new wave of cyberattacks by OldGremlin has confirmed that even inactive groups can be a threat to businesses. The attackers have returned with improved tools, highlighting the importance of companies constantly monitoring the techniques and tactics used by attackers to prevent future attacks. In 2025, the group has not only resumed its activities but also taken on the name given by cybersecurity experts, publicly declaring its existence,” said Yanis Zinchenko, Threat Research Expert at Kaspersky.
Kaspersky products detect this ransomware as Trojan-Ransom.Win64.OldGremlin, Backdoor.JS.Agent.og, HEUR:Trojan.JS.Starter.og and HEUR:Trojan-Ransom.Win64.Generic.
Kaspersky encourages organizations to follow these best practices to safeguard from ransomware:
- Use solutions from the Kaspersky Next product line that provide real-time protection, threat visibility, investigation and response capabilities of EDR and XDR for organizations of any size and industry.
- Always keep software updated on all the devices you use to prevent attackers from exploiting vulnerabilities and infiltrating your network.
- Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminals’ connections to your network.
- Set up offline backups that intruders cannot tamper with. Make sure you can access them quickly when needed or in an emergency.
- Use the latest Threat Intelligence information to stay aware of the actual Tactics, Techniques, and Procedures (TTPs) used by threat actors.
