GOLD ULRICK

GOLD ULRICK is a financially motivated cybercriminal threat group responsible for the distribution of the Ryuk, Conti, and Diavol ransomware. Active since at least August 2018, CTU researchers assess with high confidence that GOLD ULRICK is comprised of some or all of the same operators as GOLD BLACKBURN, the threat group responsible for the distribution of malware such as TrickBot, BazarLoader and Beur Loader. The majority of Ryuk and Conti attacks originate from malware distributed by GOLD BLACKBURN that provides initial access to victim networks. Historically, most Ryuk deployments use TrickBot's Backconnect proxy module for interactive access to a compromised host. This requires direct access to the TrickBot backend infrastructure and would therefore only be available to highly trusted operators.

From late 2018 through 2019, Ryuk was one of the most prevalent ransomware variants encountered by Secureworks incident response teams in post-intrusion ransomware incidents. In February 2020 Ryuk activity stopped and appeared to have been replaced by Conti, which first appeared around December 2019. Ryuk attacks resumed from September 2020 until finally ceasing in approximately May 2021. The major notable difference between the two ransomware families is that Conti operated as a 'name and shame' ransomware, where the threat of public disclosure of stolen data is leveraged to put additional pressure on the victim, whereas Ryuk did not. CTU researchers assess with moderate confidence that GOLD ULRICK is the exclusive distributor, but not necessarily the developer, of Ryuk, Conti, and Diavol.

Since around late 2019, GOLD ULRICK has worked with various transient operators in attacks, resulting in at times divergent tactics, techniques and procedures observed in intrusions. Neither Ryuk nor Conti were openly advertised as ransomware-as-a-service vendors, and recruitment of operators occurred through posts on underground forums, from within existing trust relationships, and through advertisements on legitimate job sites. Ransomware attacks operated by the core GOLD ULRICK group typically consist of initial access through TrickBot, BazarLoader or Buer Loader. In early 2021 attacks distributing Conti were observed using IcedID as the initial access vector. In approximately June 2020 the GOLD SWATHMORE threat group began making IcedID available to outside threat groups for use in ransomware campaigns. The GOLD BLACKBURN and GOLD SWATHMORE threat groups have cooperated extensively since 2018.

During an intrusion, tools such as Cobalt Strike, PowerShell Empire, Bloodhound, PSExec, Angry IP Scanner, Advanced IP Scanner, and other freely available tools are used for network discovery and traversal, privilege escalation, staging, and ransomware deployment. Prior to deployment the ransomware is staged on central servers, such as Domain Controllers, along with PSExec, batch scripts and text files containing a list of hosts to be targeted for ransomware deployment. GOLD ULRICK's dwell time is generally a few days, whereas the TrickBot, BazarLoader or other malware infection that precede the attack can be present on the network for months before GOLD ULRICK decides to leverage them.

In February 2022, at the onset of the Russian invasion of Ukraine, GOLD ULRICK posted a statement of fealty to the Russian Federation to the Conti dedicated leak site (DLS), which they subsequently deleted. Shortly after this, an anonymous security researcher released a trove of sensitive data including the chat logs and operational details of both GOLD ULRICK and GOLD BLACKBURN. In the ensuing months victims continued to be posted to the Conti DLS but at a diminished rate until the sites went offline in June 2022.