GOLD FIESTA

GOLD FIESTA is a financially motivated cybercriminal threat group responsible for the development and deployment of Hello, Cring, and Rapture ransomware. The group operates these ransomware families as traditional ransomware schemes rather than ‘name and shame’, which involves data exfiltration. Active since 2021, GOLD FIESTA establishes initial access to victim networks via opportunistic scanning and exploitation of known vulnerabilities in internet-facing servers.

After gaining an initial foothold on a network, GOLD FIESTA typically deploys Cobalt Strike Beacons for command and control. The group moves laterally across an environment via Cobalt Strike Beacon and SMBExec. GOLD FIESTA attempts to disable the host-based antivirus solution and delete Volume Shadow copies before deploying ransomware to hosts.

CTU researchers assess with moderate confidence that GOLD FIESTA is based in China due to multiple links between the observed tactics, techniques, and procedures (TTPs), and Chinese-language security research.