GOLD RETREAT
Objectives
Tools
SUMMARY
GOLD RETREAT is a financially motivated cybercrime group that operates the BianLian ransomware scheme. The group originally operated under the double extortion model, exfiltrating data from victim networks before encrypting systems and holding the stolen data and decryption keys to ransom. The group named its first victim on a dedicated leak site in June 2022 and has named victims steadily ever since. In early 2023, after Avast released a decryption tool for BianLian ransomware, GOLD RETREAT abandoned encryption as a means of extorting victims and pivoted to a data theft-only extortion model.
GOLD RETREAT uses a variety of tools and malware to gain entry to networks and steal data. Palo Alto Networks have observed remote desktop protocol (RDP) credentials abused for initial access and the ProxyShell vulnerability chain has also been exploited. Advanced Port Scanner, popular among many ransomware operators, is used for discovery while Impacket has been used to create scheduled tasks for malware execution. Palo Alto Networks have also seen custom tools used in compromises, including a simple backdoor written in Go designed to download and execute other payloads. Legitimate remote access tools, such as TeamViewer, Atera Agent, SplashTop, and AnyDesk, have been reported used. A .NET tool has also been observed that retrieves file enumeration information and registry and clipboard data. The Cybersecurity and Infrastructure Security Agency (CISA) report the use of file transfer protocol (FTP), Mega and Rclone for data exfiltration.
As with most ransomware or data theft-only extortion groups, compromises are opportunistic and based on available access. As such, organizations across a variety of verticals in North America and Western Europe have been predominantly targeted. Also in keeping with many other schemes, BianLian operators apparently do not target organizations located in Russia or other Commonwealth of Independent States (CIS) countries.
Contact Us
Contact us directly whether your organization needs immediate assistance or you want to discuss your incident readiness, response, and testing needs.