GOLD SOUVENIR

GOLD SOUVENIR is a financially motivated cybercrime group engaged in deploying ransomware, exfiltrating data and threatening to publicly name victims to extort payment. The group operated Royal ransomware from September 2022 until July 2023 when the last victim was posted to the leak site. CTU researchers assess with high confidence that GOLD SOUVENIR began the process of rebranding to Black Suit ransomware in May 2023. Neither scheme appears to be operated as ransomware-as-a-service (RaaS); CTU researchers have not observed any attempts to recruit affiliates on underground forums. Some members of the group may have previously been engaged in the Conti ransomware operation, developed and run by GOLD ULRICK, before its demise in May 2022.

In May 2023, Trend Micro investigated the Black Suit ransomware and identified significant similarities with both the Linux and Windows variants of Royal ransomware. Shortly after this, the number of victims named on the Royal ransomware leak site dropped precipitously from an average of approximately 28 a month to just one or two. This coincided with the emergence of a leak site for BlackSuit. In late 2023, CTU researchers observed a ransomware variant deployed that contained elements of both Royal and Black Suit ransomware, providing further evidence that the operators of each scheme are the same. However, only a few victims are being listed each month under the Black Suit banner, potentially indicating a scaled down operation..

There is limited information about the tactics, techniques and procedures (TTP) used to deploy Black Suit ransomware. In the majority of cases for Royal ransomware, initial access appears to have been gained through phishing, although the abuse of remote desktop protocol (RDP) and exploitation of public-facing vulnerabilities have also been seen. Microsoft has observed BATLOADER used, possibly by an initial access broker (IAB), in precursor activity to Royal ransomware deployment. In March 2023, Red Sense identified GOLD SOUVENIR socially engineering targets with ‘spoof’ data extortion emails to get victims to engage, resulting in the delivery of Cobalt Strike.

A variety of post-compromise tools and TTPs have been used in the deployment of Royal ransomware, including legitimate Windows utilities, repurposed remote access management software, and adversary simulation frameworks like Cobalt Strike. Batch scripts have been used to perform numerous functions, including the extraction and execution of the ransomware and the deletion of files for defense evasion. CTU researchers expect similar TTPs may be used in Black Suit deployments.