GOLD BLAZER

GOLD BLAZER is a financially motivated cybercriminal group responsible for coordinating the BlackCat (also known as ALPHV) ransomware-as-a-service (RaaS). It emerged in late 2021 when an advertisement for affiliates was posted on underground criminal forums. CTU researchers assess with moderate confidence that BlackCat was a rebrand of BlackMatter, which in turn evolved from Darkside ransomware following the shuttering of that scheme after it was used in the high-profile May 2021 attack on Colonial Pipeline.

The BlackCat name-and-shame leak site quickly started adding victims, becoming one of the most prolific RaaS schemes until the U.S. Federal Bureau of investigation (FBI) attempted a takedown of its infrastructure in December 2023. A seizure notice was placed on the leak site, but GOLD BLAZER regained control and posted a response to the attempted takedown. Shortly afterwards, the group created new leak site infrastructure and continued listing victims, albeit at a reduced rate. Activity continued until March 2024, when a seizure notice was placed on the new leak site and GOLD BLAZER announced the shuttering of the scheme in a forum post, claiming that the impact of the law enforcement activity had made continuing impossible. However, various discrepancies suggested that the seizure notice was not genuine while rumors of an exit scam surfaced on the RAMP underground forum. A purported BlackCat affiliate known as "Notchy" claimed that GOLD BLAZER had deprived them of their share of a $22 million USD ransom allegedly paid by Change Healthcare and then locked them out of the affiliate portal.

During its operation, affiliates stole data from victim organizations before deploying the BlackCat ransomware, which is written in Rust and has Window and Linux versions. After deployment, the BlackCat operators demanded ransom payment for the decryption key and to prevent release of exfiltrated data. Victims refusing to pay the demanded ransom by an initial deadline were named on the leak site. In some cases, DDoS attacks have occurred against victims to encourage them to pay before a countdown to publication of the stolen data ended. It is unknown if the GOLD BLAZER group coordinated the DDoS attacks, or if they were conducted by their affiliates or other threat actors.

As multiple affiliates deployed BlackCat ransomware under the RaaS model, a variety of tools and tactics, techniques and procedures (TTP) were observed in intrusions involving BlackCat ransomware. Affiliates included Scattered Spider, a group tracked by CTU researchers as GOLD HARVEST, who use social engineering techniques to convince IT help desk staff to reset user passwords or to direct users to download legitimate remote management and monitoring (RMM) tools to gain and maintain access to victim networks.

Third-party reporting suggests that the Cicada3301 RaaS, which posted its first victim to a leak site in June 2024, might be a rebrand of BlackCat, noting similarities in the functions of the ransomware. It is possible, though, that Cicada3301 is operated by an unrelated group, as GOLD BLAZER had claimed that they would be selling the ALPHV source code after they shuttered the operation.