GOLD VICTOR

GOLD VICTOR is a cybercriminal threat group that operated the Vice Society name-and-shame ransomware scheme from mid-2021. Due to the common tools and TTPs observed in deployment, and the chronology of victim naming, CTU researchers assess with moderate confidence that the group shifted to an operation built around Rhysida ransomware in mid-2023. Like Vice Society before it, Rhysida does not appear to be operated as ransomware-as-a-service (RaaS), as neither scheme has advertised for affiliates on underground forums or its leak sites. However, it is possible that Rhysida is operated as a private RaaS, with multiple threat actors deploying ransomware in intrusions.

While operating as Vice Society, GOLD VICTOR used a variety of ransomware variants to encrypt its victims' systems before posting victim names to a leak site. CTU researchers observed the use of Zeppelin ransomware to encrypt Windows devices. Additionally, third-party researchers have observed the use of BlackCat/ALPHV, QuantumLocker and PolyVice in GOLD VICTOR compromises. According to reporting by Sygnia, GOLD VICTOR used HelloKitty (aka FiveHands) ransomware to encrypt Linux hosts. The group now uses Rhysida ransomware with the names of victims not paying the ransom appearing on the Rhysida leak site.

Microsoft claim that GOLD VICTOR has also deployed INC Ransom in its ransomware attacks, predominantly on organizations in the health sector. Although CTU researchers maintain that financially motivated ransomware activity is almost exclusively opportunistic and based on available access, an analysis of leak site data does suggest that GOLD VICTOR has a preference for targeting organizations in the healthcare and education sectors.

To deploy ransomware in both Vice Society and Rhysida schemes, GOLD VICTOR has used some of the same tools and TTPs. CTU researchers have observed the use of the SystemBC SOCKS5 proxy tool, PsExec for remote execution, and Advanced IP Scanner and Advanced Port Scanner for discovery. Other tools seen include PortStarter, a Golang-based backdoor, and a number of PowerShell scripts. CTU researchers have also observed GOLD VICTOR use the same file names across Vice Society and Rhysida intrusions and the same pattern for creating .onionmail.org email addresses for victim communications. Third-party reporting indicates that the group relies heavily on GootLoader infections for initial access and has deployed the legitimate AnyDesk tool for remote access and used MEGA for data exfiltration. GOLD VICTOR also allegedly uses the lightweight Supper backdoor to maintain access to victim environments. CTU researchers have seen Supper used in InterLock ransomware intrusions and delivered by the Latrodectus loader, suggesting that the tool might not be exclusively used by GOLD VICTOR.