GOLD MYSTIC

GOLD MYSTIC is a financially motivated crime group that operates the LockBit name-and-shame Ransomware-as-a-Service (RaaS) scheme. The group began operating in September 2020 but by January 2021 had posted the details of just nine victims to the LockBit leak site. Following an apparent six-month gap in activity, during which time no victim names were posted, GOLD MYSTIC relaunched its RaaS scheme with LockBit 2.0 in mid-July 2021. Since then, LockBit steadily became the most prolific RaaS scheme. In June 2022, GOLD MYSTIC launched another variant of its ransomware called LockBit 3.0 (aka LockBit Black), which copied heavily from BlackMatter code. The group also took the unusual step of launching a bug bounty program to allow third parties to identify issues with the malware for remediation. In September 2022, the source code for LockBit 3.0 was leaked. GOLD MYSTIC responded by developing a fourth variant of the ransomware, called LockBit Green, which was launched in early 2023. LockBit Green borrows from the source code for the now defunct Conti ransomware.

On February 19, 2024, LockBit infrastructure was taken down in International law enforcement Operation Cronos led by the UK's National Crime Agency (NCA). As well as seizing the leak site and compromising backend infrastructure, the contents of approximately 200 cryptocurrency wallets were captured. A number of individuals were arrested, or indicted and sanctioned. The takedown also involved psychological operations (PSYOPS) to discourage nearly 200 affiliates from continuing to use the LockBit RaaS by undermining trust in its administrator and damaging the credibility of the LockBit brand. On February 24, a new leak site was established and began posting victim names, albeit it at a much lower rate than that observed prior to the takedown. The number of victim names posted to the LockBit leak site steadily declined through 2024.

Operation Cronos continued in two further phases: an indictment was unsealed and sanctions levied against the LockBit administrator, Dmitry Khoroshev, in May 2024; in September 2024, an affiliate of the LockBit RaaS was identified as Aleksandr Ryzhenkov (aka Beverley) and named as a member of the well-established Evil Corp (GOLD DRAKE) cybercrime group. Ryzhenkov was indicted by the U.S. Justice Department in relation to his deployment of BitPaymer ransomware in extortion attempts. He and 15 other individuals were also named in sanctions levied by the U.S. and UK authorities. The Australian government sanctioned three of them.

CTU researchers have observed a variety of tactics, techniques and procedures (TTP) used to facilitate the deployment of LockBit ransomware variants, reflecting the different affiliate groups that make use of LockBit in their ransomware attacks. These TTPs include exploiting the Citrix Bleed vulnerability or vulnerabilities in Fortigate firewalls to gain entry to a network, using Mimikatz and LaZagne to harvest credentials, and a variety of off-the-shelf tools for reconnaissance, including the SoftPerfect Network Scanner, Advanced Port Scanner and AFind. Affiliates have used Cobalt Strike for post-exploitation activity, RDP to move between hosts and PsExec for remote execution.

GOLD MYSTIC also built its own bespoke data exfiltration tool – a remote access trojan (RAT) called StealBit – that it encouraged its affiliates to use.