GOLD MYSTIC
Objectives
Tools
SUMMARY
GOLD MYSTIC is a financially motivated crime group that operates the LockBit name-and-shame Ransomware-as-a-Service (RaaS) scheme. The group began operating in September 2019 but by January 2021 had posted the details of just nine victims to the LockBit leak site. Following an apparent six-month gap in activity, during which time no victim names were posted, GOLD MYSTIC relaunched its RaaS scheme with LockBit 2.0 in mid-July 2021. Since then, LockBit steadily became the most prolific RaaS scheme. In June 2022, GOLD MYSTIC launched another variant of its ransomware called LockBit 3.0 (aka LockBit Black), which copied heavily from BlackMatter code. The group also took the unusual step of launching a bug bounty program to allow third parties to identify issues with the malware for remediation. In September 2022, the source code for LockBit 3.0 was leaked. GOLD MYSTIC responded by developing a fourth variant of the ransomware, called LockBit Green, which was launched in early 2023. LockBit Green borrows from the source code for the now defunct Conti ransomware.
On February 19, 2024, LockBit infrastructure was taken down in International law enforcement Operation Cronos led by the UK's National Crime Agency (NCA). As well as seizing the leak site and compromising backend infrastructure, the contents of approximately 200 cryptocurrency wallets were captured. A number of individuals were arrested, or indicted and sanctioned. The takedown also involved psychological operations (PSYOPS) to discourage nearly 200 affiliates from continuing to use the LockBit RaaS by undermining trust in its administrator and damaging the credibility of the LockBit brand. On February 24, a new leak site was established and began posting victim names, albeit it at a much lower rate than that observed prior to the takedown.
CTU researchers have observed a variety of tactics, techniques and procedures (TTP) used to facilitate the deployment of LockBit ransomware variants, reflecting the multiple affiliate groups that make use of LockBit in their ransomware attacks. These TTPs include exploiting vulnerabilities in Fortigate firewalls to gain entry to a network, using Mimikatz to harvest credentials and Netscan for reconnaissance, Cobalt Strike for post-exploitation activity, and RDP to move between hosts.
Contact Us
Contact us directly whether your organization needs immediate assistance or you want to discuss your incident readiness, response, and testing needs.