GOLD FIESTA
Objectives
Tools
SUMMARY
GOLD FIESTA is a financially motivated cybercriminal threat group responsible for the development and deployment of Hello, Cring, and Rapture ransomware. The group operates these ransomware families as traditional ransomware scheme rather than ‘name and shame’ involving data exfiltration. Active since 2021, GOLD FIESTA establishes initial access to victim networks via opportunistic scanning and exploitation of known vulnerabilities in internet-facing servers.
After gaining an initial foothold on a network, GOLD FIESTA typically deploys Cobalt Strike Beacons for command and control. The group moves laterally across an environment via Cobalt Strike Beacon and SMBExec. GOLD FIESTA attempts to disable the host-based antivirus solution and delete Volume Shadow copies before deploying ransomware to hosts.
CTU researchers assess with moderate confidence that GOLD FIESTA is based in China due to multiple links between the observed tactics, techniques, and procedures (TTPs), and Chinese-language security research.
Contact Us
Contact us directly whether your organization needs immediate assistance or you want to discuss your incident readiness, response, and testing needs.