GOLD SONATA

GOLD SONATA is a financially motivated cybercriminal threat group that authored and distributed the Babuk Locker (also known as Babyk) ransomware on behalf of various affiliated threat groups. As of January 2021, when Babuk Locker first appeared on the scene, it was run by the threat actor “biba99” as a private ransomware without affiliates. At the time, GOLD SONATA took the unusual approach of listing their ransomware victims on an English-language forum. In February 2021, GOLD SONATA began advertising for affiliates on Russian-speaking forums. GOLD SONATA earned notoriety with the April 2021 attack on The Metropolitan Police Department in Washington, DC. That same month, GOLD SONATA announced they were closing the Babuk Locker project and making the source code publicly available. The group subsequently announced that they were moving away from ransomware deployment and were instead going to exclusively steal data and hold it hostage for ransom. These announcements are likely related to the blowback from the DC police attack.

The new GOLD SONATA operation was launched as "Payload Bin" in May 2021, with an associated leak site named Payload.bin, not to be confused with the GOLD DRAKE ransomware that emerged soon after and used the same name, probably in a deliberate attempt by GOLD DRAKE to evade U.S. Treasury sanctions. In June 2021, the compiled code for the Babuk Locker was released by "biba99" and in September 2021, the full source code was released by the threat actor "dyadka0220". Since the code was released, at least one variant has been introduced, called Delta Plus 2.3. In October 2021, Avast released a decryptor for Babuk Locker.

GOLD SONATA expressed its ideology on public forums, indicating that it will not target non-profit organizations unless they are supporting "LGBT" or "BLM", referring to lesbian, gay, bisexual, and transgender individuals and the Black Lives Matter movement. The attack against the DC police and subsequent increased scrutiny by government and media led to internal dissension within GOLD SONATA, causing the group to splinter into two groups, with "Admin" forming the RAMP cybercrime forum and the others launching version two of Babuk Locker. As of October 2021, it appears that the threat actors behind GOLD SONATA are now associated with Groove ransomware, including "Orange" (formerly known as "TetyaSluha") from RAMP and "boriselcin". There are indications that Groove is not an actual ransomware family, and that it was created as a joke by the threat actors intended to mislead the press. There is also a suggested connection between BlackMatter ransomware, operated by GOLD WATERFALL, and GOLD SONATA, due to the reported sharing of the same file server to store leaked files.