GOLD EQUINOX

GOLD EQUINOX is a financially motivated crime group that distributes Phobos ransomware. Phobos is likely descended from Dharma, ransomware which was operated by the GOLD ORION threat group before its source code was advertised for sale on an underground forum in 2019.

GOLD EQUINOX operates a ransomware-as-a-service (RaaS) scheme, allowing affiliates to gain access to networks and deploy Phobos ransomware. Some Phobos affiliates rely on encryption alone in their operations and do not steal data and hold it to ransom, while others use the ransomware alongside data theft to extort victims. Unusually, GOLD EQUINOX does not run a leak site for Phobos. Instead, affiliates wishing to run name-and-shame schemes establish their own leak sites on which to name victims (eg. Space Bears or 8BASE). Affiliates customize the file extension used on encrypted files for branding and identification purposes,

Affiliates use a variety of tactics, techniques and procedures (TTP) in their operations. These include scanning-and-exploiting to identify and compromise systems, and in many cases CTU researchers have observed, remote desktop protocol (RDP) for access. Encryption-only operators generally use RDP to move laterally once on the network, and deploy the ransomware on individual hosts rather than relying on centralized distribution via group policy objects or active directory domain services. As a consequence, distribution of Phobos ransomware can be less comprehensive than that of other variants but the dwell time before deployment is short; CTU researchers have observed the encryption of hosts within an hour of gaining initial access. Despite the relatively narrow distribution of the ransomware, such activity can still have a highly damaging impact on business operations. Affiliates also stealing data take longer to conduct their operations by necessity.

CTU researchers have observed an affiliate use legitimate off-the-shelf tools for reconnaissance, including Advanced IP Scanner, Advanced Port Scanner, Process Hacker, Mimikatz and the Everything utility, before encrypting the folders storing these tools in order to cover their tracks. In addition, the Phobos ransomware executable has been saved to Startup directories on hosts to ensure execution on user logon. Phobos deployment has been observed encrypting files with .eight, .elbie and .eking extensions among others.