Kaspersky Threat Research has identified new attacks by the Russian-speaking ransomware group OldGremlin in early 2025, signaling the return of an operation that targets manufacturing, healthcare, retail and technology firms and once demanded nearly $17 million from a single victim.
The activity matches the group’s past playbook and, for the first time, the malicious actor appears to have used the “OldGremlin” name in their own materials, showing up in ransom notes and file paths. The toolkit turns off key Windows protections to run the group’s own driver and relies on Node.js to run commands.
Kaspersky researchers identified that the OldGremlin toolkit has four main parts. A remote-access backdoor lets the attackers control infected computers. A “patcher” abuses a flaw in a legitimate Windows driver to switch off a protection that normally blocks unsigned drivers, it then loads the group’s malicious driver to shut down security tools. A file-encrypting program, “master,” as well as “patcher,” can run as standalone executables or as Node.js add-ons; when queried locally (localhost:8010), “master” reports the current encryption status so the attackers can track progress. A final tool, “closethedoor,” isolates the device from the network during the encryption process, drops the ransom notes, and cleans up traces.
“The OldGremlin group has evolved its toolset which contains a backdoor, an EPP/EDR killer, and an encryption trojan. The threat actors also use legitimate tools and vulnerable drivers in their attacks. To counter this kind of activity and other advanced threats, we recommend the Kaspersky Next product line, which offers real-time protection along with EDR and XDR capabilities that organizations can scale as their security needs grow,” said Yanis Zinchenko, Threat Research, Kaspersky.
Kaspersky links the 2025 incidents to OldGremlin through consistent tactics and a reused cryptographic public key that also appeared in earlier campaigns, pointing to the same operators. Targets this year include organizations in manufacturing, technology, retail and health care. The group is known for long dwell times, about 49 days, before encrypting files and has issued large ransom demands in the past, including a $16.9 million case in 2022. Kaspersky also observed command-and-control servers reachable on the public internet.
Kaspersky products detect this ransomware as Trojan-Ransom.Win64.OldGremlin, Backdoor.JS.Agent.og, HEUR:Trojan.JS.Starter.og and HEUR:Trojan-Ransom.Win64.Generic.
Kaspersky encourages organizations to follow these best practices to safeguard from ransomware:
- Use solutions from the Kaspersky Next product line that provide real-time protection, threat visibility, investigation and response capabilities of EDR and XDR for organizations of any size and industry.
- Always keep software updated on all the devices you use to prevent attackers from exploiting vulnerabilities and infiltrating your network.
- Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminals’ connections to your network.
- Set up offline backups that intruders cannot tamper with. Make sure you can access them quickly when needed or in an emergency.
- Use the latest Threat Intelligence information to stay aware of the actual Tactics, Techniques, and Procedures (TTPs) used by threat actors.
Threat Research
The Threat Research team is a leading authority in protecting against cyberthreats. By actively engaging in both threat analysis and technology creation, our TR experts ensure that Kaspersky’s cybersecurity solutions are deeply informed and exceptionally potent, providing critical threat intelligence and robust security to our clients and the broader community.
