GOLD TOPAZ

The GOLD TOPAZ threat group is responsible for operating the RagnarLocker name-and-shame ransomware. Active since at least late 2019, in March 2022 the FBI reported that RagnarLocker had impacted at least 52 entities across different industry verticals. CTU researchers have observed GOLD TOPAZ gain initial access using phishing emails to harvest credentials but other access vectors may also be used. Once in a network, RagnarLocker intrusions may be characterized by the use of Cobalt Strike, lsass dumping for credential theft and use of PSExec for lateral movement. In intrusion activity observed by CTU researchers backup systems were impacted, making data recovery more challenging.

According to FBI reporting in March 2022, RagnarLocker uses VMProtect, UPX, and custom packing algorithms and deploys within the threat actor's custom Windows XP VM on the compromised host. Windows APIs to ensure that the victim machine is not using a system configuration consistent with eastern Europe and central Asia, and generates a unique identifier per infection based on system information to prevent multiple concurrent infections of the same host. The ransomware makes all connected devices accessible for subsequent encryption. It then iterates through and terminates common processes associated with remote access solutions, likely to make incident response harder, deletes volume shadow copies using vssadmin and WMI, and then encrypts files that are not situated in a hardcoded folder exception list. Files are appended with a .RGNR_ extension, where is a hash of the machine's NETBIOS name, and a .txt ransom note is dropped providing instructions on how to pay the ransom and decrypt data.