GOLD VICTOR

GOLD VICTOR is a cybercriminal threat group that operates the Rhysida name-and-shame ransomware scheme. Due to the common tools and TTPs observed in deployment, and the chronology of victim naming, CTU researchers assess with moderate confidence that the group shifted to an operation built around Rhysida ransomware after operating Vice Society since late 2021. Like Vice Society, Rhysida is not operated as ransomware-as-a-service (RaaS).

While operating as Vice Society, GOLD VICTOR used a variety of ransomware variants to encrypt its victims' systems before posting victim names to a leak site. CTU researchers observed the use of Zeppelin ransomware to encrypt Windows devices. Additionally, third-party researchers have observed the use of BlackCat/ALPHV, QuantumLocker and PolyVice in GOLD VICTOR compromises. According to reporting by Sygnia, GOLD VICTOR used HelloKitty (aka FiveHands) ransomware to encrypt Linux hosts. Encrypted files were appended with a variety of extensions, depending on the variant deployed. Now the group's ransomware adds the .rhysida extension to encrypted files and the names of victims not paying the ransom appear on the Rhysida leak site. In June 2023, the last victim name was posted to the Vice Society leak site. In the same month, the first victim was named on the Rhysida leak site. In December 2023, GOLD VICTOR disabled all infrastructure associated with Vice Society.

To deploy ransomware in both Vice Society and Rhysida schemes, GOLD VICTOR has used some of the same tools and TTPs. CTU researchers have observed the use of the SystemBC SOCKS5 proxy tool, PSExec for remote execution, and Advanced IP Scanner and Advanced Port Scanner for discovery. Other tools seen include PortStarter, a Golang-based backdoor, and a number of PowerShell scripts. CTU researchers have also observed GOLD VICTOR use the same file names across Vice Society and Rhysida intrusions and the same pattern for creating .onionmail.org email addresses for victim communications.