GOLD ANGEL

GOLD ANGEL is a financially motivated cybercrime group that operates the Dark Angels ransomware and Dunghill Leaks name-and-shame leak site. They operate using a double extortion method, encrypting files after exfiltrating sensitive data to hold to ransom. The group named their first victim on their leak site in January 2023, and since then they have posted victim names at a low rate of fewer than one a month on average. In each alleged listed compromise, GOLD ANGEL has claimed to have stolen a significant volume of data; a few of the listed victims have less than 1TB published on the site, while others have closer to 30TB allegedly leaked. The group also demands large ransom payments, raising their profile despite the relatively low number of alleged victims. In September 2023, they breached the network of a multinational conglomerate, encrypting systems and exfiltrating over 27TB of confidential data. This attack came with a demand for a $51million ransom which the victim allegedly refused to pay. An attack in February 2024 made headlines and marked GOLD ANGEL out as a potentially significant ransomware threat. Reports at the time suggested that the GOLD ANGEL had attacked a Fortune 50 company and received a ransom payout of $75million, making it the largest known ransom ever paid if true.

Third-party reports suggest that GOLD ANGEL originally used a modified version of the Babuk-ESXi encryptor in their ransomware deployments. Its source code was leaked in September 2021 and has since been used by multiple ransomware groups. By September 2023, the group had switched to using a variant of Ragnar Locker, although they also claim to have developed their own encryptor.

Dark Angels ransomware deployments have involved the exploitation of a vulnerability in an Oracle WebLogic server to gain access to the network before JSP web shells were deployed for persistence. CTU researchers assess with moderate confidence that this activity was performed by the GOLD MELODY initial access broker (IAB), a view supported by the long dwell time between initial access and ransomware deployment. GOLD ANGEL may therefore rely on IABs for access to networks. Post-compromise, GOLD ANGEL use Advanced IP Scanner for reconnaissance, 7-Zip for the staging of files and FileZilla and WinSCP for exfiltration. They also perform anti-forensics activity by deleting Windows event logs and executing FileShredder, a utility to permanently delete files from a computer.