GOLD ESPRESSO

GOLD ESPRESSO is a financially motivated cybercrime group that operates the AvosLocker name-and-shame ransomware-as-a-service (RaaS). The threat group provides hosting for stolen data and conducts negotiations on behalf of its affiliates. GOLD ESPRESSO began posting victim names to its leak site in July 2021 and continued to do so until May 2023, when the group ceased naming victims. It is not clear whether or not the AvosLocker operation has been permanently shuttered but a persona responsible for recruiting affiliates on the Ramp underground forum last posted to it in January 2023.

AvosLocker has been deployed against organizations in multiple sectors, including critical infrastructure across the United States and Canada. The group have been observed seeking network access to companies with a revenue of over 50 million USD on underground forums.

Tactics, techniques and procedures (TTP) related to the deployment of AvosLocker will likely vary between GOLD ESPRESSO’s affiliates. CTU researchers have so far observed affiliates gaining initial access to victim networks via scan and exploit techniques. The U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) report affiliates using a variety of open-source and legitimate tools to conduct AvosLocker operations. These include Splashtop Streamer, AnyDesk and Atera Agent for remote access, the native Windows PsExec tool for execution, the Ligolo and Chisel tunneling tools, Lazagne and Mimikatz for harvesting credentials, the Cobalt Strike and Sliver frameworks for command and control (C2), and FileZilla and Rclone for data exfiltration.