Kaspersky Threat Research has identified new attacks by the Russian-speaking ransomware group OldGremlin in early 2025, signaling the return of an operation that targets manufacturing, healthcare, retail and technology firms and once demanded nearly $17 million from a single victim.
The activity matches the group’s past playbook and, for the first time, the malicious actor appears to have used the “OldGremlin” name in their own materials, showing up in ransom notes and file paths. The toolkit turns off key Windows protections to run the group’s own driver and relies on Node.js to run commands.
Kaspersky researchers identified that the OldGremlin toolkit has four main parts. A remote-access backdoor lets the attackers control infected computers. A “patcher” abuses a flaw in a legitimate Windows driver to switch off a protection that normally blocks unsigned drivers, it then loads the group’s malicious driver to shut down security tools. A file-encrypting program, “master,” as well as “patcher,” can run as standalone executables or as Node.js add-ons; when queried locally (localhost:8010), “master” reports the current encryption status so the attackers can track progress. A final tool, “closethedoor,” isolates the device from the network during the encryption process, drops the ransom notes, and cleans up traces.
“The OldGremlin group has evolved its toolset which contains a backdoor, an EPP/EDR killer, and an encryption trojan. The threat actors also use legitimate tools and vulnerable drivers in their attacks. To counter this kind of activity and other advanced threats, we recommend the Kaspersky Next product line, which offers real-time protection along with EDR and XDR capabilities that organizations can scale as their security needs grow,” said Yanis Zinchenko, Threat Research, Kaspersky.
Kaspersky links the 2025 incidents to OldGremlin through consistent tactics and a reused cryptographic public key that also appeared in earlier campaigns, pointing to the same operators. Targets this year include organizations in manufacturing, technology, retail and health care. The group is known for long dwell times, about 49 days, before encrypting files and has issued large ransom demands in the past, including a $16.9 million case in 2022. Kaspersky also observed command-and-control servers reachable on the public internet.
Kaspersky products detect this ransomware as Trojan-Ransom.Win64.OldGremlin, Backdoor.JS.Agent.og, HEUR:Trojan.JS.Starter.og and HEUR:Trojan-Ransom.Win64.Generic.
