GOLD BURLAP

GOLD BURLAP was a group of financially motivated criminals responsible for the development of the Pysa ransomware, also referred to as Mespinoza, which was operated between March 2020 and December 2021. GOLD BURLAP leveraged 'name and shame' tactics - stealing data before encryption and holding it to ransom - to apply additional pressure on victims to pay. CTU researchers saw no evidence to suggest that Pysa was operated as ransomware as a service (RaaS). Over the course of its operation, GOLD BURLAP listed the names of over 300 alleged victims to the Pysa leak site.

Pysa is a cross-platform ransomware with known versions written in C++ and Python. A remote access trojan written in Go, which CTU researchers dubbed DNSGo, was identified as a precursor to Pysa attacks. According to the French national cybersecurity agency, ANSSI, DNSGo has been delivered both by exploiting internet-facing devices via Remote Desktop Protocol (RDP) and by using stolen credentials. The malware has been used in conjunction with other tools, including PowerShell Empire, Advanced IP Scanner, Advanced Port Scanner, PsExec, ADRecon, Privilege Escalation Awesome Scripts Suite (PEASS), and Mimikatz.