GOLD FEATHER

GOLD FEATHER is a financially motivated cybercrime group that operates the Qilin ransomware-as-a-service (RaaS) scheme. It is operated on the name-and-shame or double extortion model, meaning affiliates of the scheme steal data and hold it to ransom in addition to encrypting files and systems. According to Trend Micro, an early version of the ransomware was written in Golang before a Rust version was developed. Qilin ransomware can be used to target Windows and VMware ESXi devices.

The first victim of Qilin ransomware was listed on a dedicated Tor leak site in October 2022, although third parties report seeing it used as early as July 2022. The scheme was slow to start, and did not list any more victims until after the affiliate programme was advertised on the RAMP underground forum in February 2023. Since April 2023, GOLD FEATHER started naming victims on the leak site at a regular but low rate of around five victims a month. In early 2024, the group took the unusual step of launching a website, an X account and a Telegram channel that exploit the WikiLeaks brand to attempt to tarnish the reputations of a subset of listed victims who had elected not to pay the ransom, and to encourage future victims to accede to their demands. Around this time, Qilin ransomware operations also appeared to begin expansion, steadily increasing their listed victim tally. It is likely that the group benefitted from the law enforcement disruption caused to both the ALPHV/BlackCat and LockBit ransomware schemes in early 2024, prompting their affiliates to move to other programs to continue their criminal endeavours.

As affiliates are used to deploy ransomware and steal data, a variety of tactics, techniques and procedures (TTP) are likely to be observed in Qilin network compromises. CTU researchers have observed remote desktop protocol (RDP) abused for initial access and lateral movement before the post-compromise PCHunter and PowerTool tools were deployed, possibly with the intention of disabling antivirus software. CTU researchers also observed the contents of memory dumped, likely to obtain hashed credentials for cracking offline. Attempts were also made to delete shadow copies before ransomware was deployed.