GOLD BLAZER

GOLD BLAZER is the financially motivated cybercriminal group responsible for coordinating use of the BlackCat, also known as ALPHV, ransomware. The group was first seen in late 2021, advertising their ransomware on underground criminal forums and looking for experienced ransomware operators to join their crew. Their name and shame site quickly started adding victims, rapidly making it one of the most active ransomware groups of 2022 based on numbers of publicly listed victims. BlackCat is written in the Rust language, and has versions that will encrypt Windows and Linux systems.

The observed initial infection vector in Blackcat ransomware incidents has been through single-factor VPN access points. With their initial foothold, the threat actors have deployed Mimikatz to obtain credentials and escalate privileges. Once administrator privileges are obtained, the network is scanned and mapped. Victim data is identified, collected, compressed and exfiltrated. The timeline from initial infection to ransomware deployment is approximately 10 days, with the ransomware being deployed from domain administrator accounts via PsExec. Since it is possible that more than one group is Blackcat, attack patterns may differ.

After deployment the Blackcat operators demand ransom payment for the decryption key and to prevent release of exfiltrated data. In addition to those demands, DDoS attacks have occurred against victims who have been posted on the GOLD BLAZER leak site but have yet to pay. It is unknown if the GOLD BLAZER group coordinated the DDoS attacks, or if they were conducted by other threat actors.