GOLD LOTUS
Objectives
Aliases
Tools
SUMMARY
GOLD LOTUS is a financially motivated cybercriminal threat group that operates the BlackByte name-and-shame ransomware-as-a-service (RaaS). GOLD LOTUS posted its first victim to the BlackByte leak site in August 2021, and since then has steadily named victims at an average rate of five a month.
As BlackByte is operated as a RaaS, different affiliates deploy the ransomware, so a variety of TTPs are likely to be observed across intrusions. CTU researchers have observed BlackByte affiliates exploiting the ProxyShell vulnerability chain in Microsoft Exchange servers for initial access, before using Cobalt Strike for post-intrusion activity. Open-source scanning tools, such as SoftPerfect, are used for reconnaissance, while RDP has been exploited for lateral movement. In addition to deploying the BlackByte ransomware, affiliates have been observed accessing a domain controller and changing the passwords for administrator accounts, likely in order to hamper recovery efforts. The FBI reports that on some occasions, BlackByte has only partially encrypted files, allowing for data recovery without the need for the decryption tool. In October 2022, Symantec reported on a BlackByte affiliate using a custom tool called Exbyte to exfiltrate data to the MEGA cloud storage service.
BlackByte ransom notes are delivered to all impacted hosts and contain instructions on how to recover data. As with most groups, GOLD LOTUS directs victims to communicate through a negotiation portal hosted on Tor. Samples of victim data are stored on the AnonFiles file storage service.
Contact Us
Contact us directly whether your organization needs immediate assistance or you want to discuss your incident readiness, response, and testing needs.