GOLD ENCORE

GOLD ENCORE is a financially motivated cybercriminal threat group that operates the Play name-and-shame ransomware. GOLD ENCORE denies operating Play as a ransomware-as-a-service (RaaS), disavowing the tactic on its leak site, but the increasing rate of victim naming over time suggests that its operations have expanded and it has taken on affiliates in a private arrangement.

CTU researchers first observed Play ransomware deployed at an organization in June 2022 following exploitation of a remote desktop protocol (RDP) connection for initial access. GOLD ENCORE's first foray into ransomware operations had low impact on the victim and was relatively amateurish in its approach to deployment. Files on a single host were encrypted, with no further distribution across the victim environment. At the time, the group did not run Play ransomware as a name-and-shame operation, so no attempt was made to exfiltrate data.

GOLD ENCORE subsequently evolved its tactics, techniques and procedures (TTPs) to become a more serious threat to business operations, listing its first victims on a leak site in November 2022. Since that point, the group listed victim names at an average of around 25 a month.

The group appears to have been a beneficiary of the law enforcement disruption activity taken against LockBit and the shuttering of the BlackCat ransomware scheme, seeing a significant increase in victim naming from March 2024. This suggests that some of the affiliates of those schemes may have moved to work with Play. In late 2024, Palo Unit 42 reported that North Korean state-sponsored threat group NICKEL HYATT had used Play ransomware in a financially motivated attack. It is not clear how the relationship between the two groups was established and CTU researchers are not able to independently verify the claim.

GOLD ENCORE continues to exploit exposed RDP connections for access, and possibly also uses legitimate credentials obtained through phishing. CrowdStrike research suggests the group also exploits Microsoft Exchange vulnerabilities for access. According to Fortinet, GOLD ENCORE uses LOLBINS (living off the land binaries) for discovery. Symantec identified GOLD ENCORE using the SystemBC remote access trojan (RAT) and some custom tools, including an infostealer called Grixba and a Volume Shadow Copy Service (VSS) tool, both built using Costura, a .NET development tool. In a late-2023 #STOP Ransomware advisory, the Cybersecurity & Infrastructure Security Agency (CISA) listed an array of additional tools used by the group.

The group delivers a basic ransom note that includes an email address and links to Tor websites. Unlike other ransomware groups, the ransom note does not provide an explanation of what has happened or what the victim needs to do. Instead, this is detailed more fully on the FAQ page of the leak site, which includes instructions on how to make payment.