Kaspersky researchers report a fresh surge in activity by the OldGremlin ransomware group in the first half of 2025. At least eight large Russian organizations were compromised, primarily in the industrial sector, with additional victims in healthcare, retail, and IT. The campaign underscores a familiar pattern for the actor: prolonged, low-noise compromise followed by disruptive encryption and high-value extortion.
Victim Profile and Campaign Scale
OldGremlin has operated for roughly five years and is known for extended lateral movement and staging prior to detonation. The group’s average dwell time is about 49 days before encryption occurs, allowing comprehensive reconnaissance and privilege escalation. After notable campaigns in 2020–2022 and a reappearance in 2024, activity has increased in 2025. Historic ransom demands have reached the tens of millions of dollars, with at least one case approaching USD 17 million.
Tradecraft and Tooling Observed in 2025
Phishing-Led Intrusions and Backdoor Deployment
The intrusion lifecycle begins with phishing campaigns, enabling initial access and execution of payloads that establish persistence. A bespoke backdoor is used to maintain remote control, pivot across the network, and stage components of the ransomware.
BYOVD to Neutralize Security Controls
OldGremlin employs BYOVD (Bring Your Own Vulnerable Driver) techniques by loading a legitimate but vulnerable Windows driver to disable endpoint protections. With kernel-level privileges, the actors then deploy a malicious driver to tamper with security processes. This approach significantly complicates detection and response by EDR/AV tools and remains a rising concern in the Windows ecosystem.
Node.js Execution and Real-Time Ransomware Telemetry
In line with “living-off-the-land” tactics, the operators leverage the Node.js interpreter to run malicious scripts, blending into normal administrative activity. The final payload encrypts data and reports live encryption status back to the operators, enhancing control and timing during the attack window.
Branded Notes, Evidence Wiping, and Temporary Isolation
Ransom notes are now “branded” under the OldGremlins name, signaling a push for recognition. Post-encryption components drop the note, clean activity traces, and temporarily disconnect compromised hosts from the network to delay incident response and hinder forensic analysis.
Why These Tactics Work: Industry Context and Trends
The combination of phishing, BYOVD, and legitimate interpreters reflects a broader trend: attackers camouflage actions as routine IT operations. Findings from the Verizon DBIR 2024 consistently place social engineering and phishing among leading initial access vectors, while the ENISA Threat Landscape underscores the persistence of ransomware and growing abuse of trusted components in the Windows driver model. Public cases across the ecosystem have shown how vulnerable drivers can be repurposed to kill security tools—one reason Microsoft’s Windows Vulnerable Driver Blocklist and robust driver policies are critical.
Priority Defenses Organizations Should Implement
Harden email and train users. Enforce attachment and URL filtering, conduct realistic phishing simulations, and deploy controls for Business Email Compromise scenarios.
Control drivers and privileges. Enable and maintain the Windows Vulnerable Driver Blocklist, restrict unauthorized driver/service installation, and monitor Event Log/Sysmon for service creation and driver loads.
Fortify endpoints and scripting environments. Use EDR/XDR with behavioral analytics, control the execution of node.exe and other interpreters (PowerShell, Python) on servers, enforce AppLocker/WDAC policies, and enable script logging.
Segment networks and secure backups. Apply least privilege and segmentation, maintain isolated offline backups, regularly test restoration, and configure thresholds/alerts that flag mass-encryption behavior.
Prepare for incidents. Maintain an IR plan that anticipates temporary host isolation, have pre-approved playbooks, and keep an up-to-date contact map for external responders and national CERTs.
The current OldGremlin wave highlights the need for continuous tracking of adversary TTPs and rapid adjustment of security policies. Industrial, healthcare, retail, and IT organizations should reassess phishing resilience, tighten driver governance, and limit script runtime execution. Regular exercises, verified backups, and behavior-driven EDR/XDR are among the most practical steps to reduce the probability and impact of large-scale encryption and business disruption.
