GOLD ENCORE

GOLD ENCORE is a financially motivated cybercriminal threat group that currently operates the Play name-and-shame ransomware. GOLD ENCORE does not appear to run Play as an affiliate program, and likely relies on a core group of individuals to develop malware and tools, and target victim organizations.

CTU researchers first observed Play ransomware deployed at an organization in June 2022 following exploitation of a remote desktop protocol (RDP) connection for initial access. GOLD ENCORE's first foray into ransomware operations had low impact on the victim and was relatively amateurish in its approach to deployment. Files on a single host were encrypted, with no further distribution across the victim environment. At the time, the group did not run Play ransomware as a name-and-shame operation, so no attempt was made to exfiltrate data.

GOLD ENCORE subsequently evolved their tactics, techniques and procedures (TTPs) to become a more serious threat to business operations, listing their first victims on a leak site in November 2022. Since then, the group has listed victim names at an average of 15 a month.

GOLD ENCORE continues to exploit exposed RDP connections for access, and possibly also uses legitimate credentials obtained through phishing. CrowdStrike research suggests the group also exploits Microsoft Exchange vulnerabilities for access. According to Fortinet, GOLD ENCORE uses LOLBINS (living off the land binaries) for discovery. Symantec identified GOLD ENCORE using the SystemBC remote access trojan (RAT) and some custom tools, including an infostealer called Grixba and a Volume Shadow Copy Service (VSS) tool, both built using Costura, a .NET development tool. The group delivers a basic ransom note that includes an email address and links to Tor websites. Unlike other ransomware groups, the ransom note does not provide an explanation of what has happened or what the victim needs to do. Instead, this is detailed more fully on the FAQ page of the leak site, which includes instructions on how to make payment.