In recent months, notorious Russian cybercriminals have resurfaced with new ransomware variants, intensifying global cyber threats. Groups such as OldGremlin and CyberVolk have reemerged, targeting critical infrastructure and private enterprises, underscoring the persistent and evolving nature of cybercrime.
OldGremlin’s Resurgence
In August 2025, Kaspersky Threat Research identified renewed attacks by the Russian-speaking ransomware group OldGremlin. This group, known for targeting sectors like manufacturing, healthcare, retail, and technology, had previously demanded nearly $17 million from a single victim. Their recent activities mirror past tactics, with the group now using the “OldGremlin” name in their ransom notes and file paths. Their toolkit includes a remote-access backdoor, a “patcher” that exploits Windows driver vulnerabilities to disable security tools, and a file-encrypting program named “master.” Additionally, they employ “closethedoor,” a tool that isolates infected devices from networks during encryption, drops ransom notes, and cleans up traces. (kaspersky.com)
Explore the data solution with built-in protection against ransomware TrueNAS.
CyberVolk’s Return
Similarly, the pro-Russian hacktivist group CyberVolk has reemerged with an updated Ransomware-as-a-Service (RaaS) platform. Known for its pro-Russian stance, CyberVolk gained traction in 2024 by operating entirely via Telegram, allowing easy deployment of ransomware attacks even by less tech-savvy affiliates. Their new ransomware, VolkLocker, integrates Telegram automation for command and control, along with features like customizable C2, infection alerts, and keylogging capabilities. However, cybersecurity firm SentinelOne uncovered a critical flaw: the encryption key is hardcoded into the binary, making decryption possible without paying the ransom. This oversight renders the ransomware mostly ineffective and suggests a possible mistake by the developers, similar to errors seen in legitimate software. (techradar.com)
Phobos Ransomware Crackdown
In February 2025, Europol announced the arrest of four Russian individuals suspected of leading the 8Base ransomware group, which deployed a variant of the Phobos ransomware. This coordinated action, involving law enforcement agencies from 14 countries, led to the takedown of 27 servers linked to the criminal network. Phobos ransomware typically targets small and medium-sized businesses, which are more vulnerable due to limited cybersecurity resources. (reuters.com)
Qakbot Malware Indictment
In May 2025, the U.S. Department of Justice unsealed an indictment charging Russian national Rustam Rafailevich Gallyamov with leading a group of cybercriminals who developed and deployed the Qakbot malware. This malware infected thousands of computers worldwide, installing ransomware and demanding payment from victims. The indictment is part of the international anti-botnet effort known as Operation DuckHunt, which dismantled the Qakbot platform in 2023. (justice.gov)
Sanctions and Arrests
The U.S. and U.K. have jointly imposed sanctions on seven Russian cybercriminals linked to the Russia-based Trickbot Group, ahead of the first anniversary of Russia’s invasion of Ukraine. These individuals are accused of roles including development, money laundering, and leadership within the group, which has been involved in extensive cybercrime, including ransomware attacks on U.S. hospitals during the COVID-19 pandemic. (apnews.com)
Additionally, Russian professional basketball player Daniil Kasatkin was arrested by French authorities at Paris Charles de Gaulle Airport on June 21, 2025, due to allegations from the U.S. linking him to a ransomware gang. Accusations claim Kasatkin conspired in cyberattacks on around 900 entities, including two U.S. federal agencies, between 2020 and 2022. A French court ruled on July 8 to keep him detained as he awaits possible extradition to the U.S., which has 60 days to submit extradition documents. (tomshardware.com)
The Persistent Threat of Russian Ransomware
Russian-speaking threat actors have consistently driven most types of crypto-enabled cybercrime, from ransomware to illicit crypto exchanges and darknet markets. In fact, they accounted for at least 69% of all crypto proceeds linked to ransomware throughout the previous year, exceeding $500 million. (bleepingcomputer.com)
The resurgence of groups like OldGremlin and CyberVolk highlights the persistent and evolving nature of cybercrime. Their activities underscore the need for continuous vigilance, robust cybersecurity measures, and international cooperation to combat these threats effectively.
References
-
Kaspersky Threat Research. (2025). Kaspersky reports the return of Russian-speaking ransomware group OldGremlin. (kaspersky.com)
-
TechRadar. (2025). Notorious Russian cybercriminals return with new ransomware. (techradar.com)
-
Reuters. (2025). Four Russians arrested in Phobos ransomware crackdown, Europol says. (reuters.com)
-
U.S. Department of Justice. (2025). Russian National and Leader of Qakbot Malware Conspiracy Indicted in Long-Running Global Ransomware Scheme. (justice.gov)
-
Associated Press. (2023). U.S., UK impose cybersecurity sanctions on Russian group. (apnews.com)
-
Tom’s Hardware. (2025). Russian pro basketball player gets the cuffs for allegedly being a member of ransomware gang. (tomshardware.com)
-
BleepingComputer. (2024). Russian ransomware gangs account for 69% of all ransom proceeds. (bleepingcomputer.com)
Be the first to comment