GOLD REBELLION

GOLD REBELLION is a financially motivated cybercriminal threat group that operates the Black Basta name-and-shame ransomware. The group posted its first victim to its leak site in April 2022 and had published over 130 victims through October 2022. GOLD REBELLION has not openly advertised or appeared to recruit for an affiliate program.

Several security vendors and independent researchers have suggested the distributors of Black Basta may be former affiliates of GOLD ULRICK's Conti operation. Technical artifacts analyzed by CTU researchers suggest that Black Basta has been under development since at least early February 2022, several weeks before extensive public leaks detailed GOLD ULRICK's Conti operation. In November 2022, researchers at SentinelOne linked custom tooling used by GOLD REBELLION to the GOLD NIAGARA (FIN7) threat group. CTU researchers have not made independent observations corroborating a relationship between these threat groups or any others.

CTU researchers have observed a variety of tactics, techniques and procedures (TTP) used by distributors of Black Basta. In one incident, a threat actor gained access to a victim network through a managed security services provider (MSSP). In November 2022, CTU researchers observed multiple incidents where Black Basta was distributed through an initial access vector (IAV) of Qakbot leading to Cobalt Strike and further lateral movement into the victim network. Use of the SystemBC back connect malware was also observed. In June 2022, researchers at NCC Group CIRT saw PSExec used for remote process execution. RDP is used for lateral movement, and affiliates have used batch files to delete their own tools and disable anti-virus programs for defense evasion. Both RClone and MegaSync have been used for data exfiltration.