GOLD SOUVENIR

GOLD SOUVENIR is a financially motivated cybercrime group engaged in deploying ransomware, exfiltrating data and threatening to publicly name victims to extort payment. The group operated Royal ransomware from September 2022 until July 2023 when the last victim was posted to the leak site. CTU researchers assess with high confidence that GOLD SOUVENIR began the process of rebranding to Black Suit ransomware in May 2023. Neither scheme appears to be operated as ransomware-as-a-service (RaaS) - CTU researchers have not observed any attempts to recruit affiliates on underground forums - but third-party researchers have suggested that multiple different threat actors deploy GOLD SOUVENIR's ransomware. Some members of the group may have previously been engaged in the Conti ransomware operation, developed and run by GOLD ULRICK, before its demise in May 2022.

In May 2023, Trend Micro investigated the Black Suit ransomware and identified significant similarities with both the Linux and Windows variants of Royal ransomware. Later that year, CTU researchers also observed a ransomware variant deployed that contained elements of both Royal and Black Suit ransomware, providing further evidence that the operators of each scheme are the same. In May 2023, the number of victims named on the Royal ransomware leak site dropped precipitously from an average of approximately 28 a month to just one or two. This coincided with the emergence of a leak site for Black Suit. To begin with, the rate of naming victims on the Black Suit leak site was significantly lower than that previously observed on the Royal leak site, potentially indicating a scaled down operation. However, the number of Black Suit victims named each month subsequently began to rise, albeit at a lower rate than Royal.

Phishing is a popular initial access vector in Royal and Black Suit operations, although the abuse of remote desktop protocol (RDP) and exploitation of public-facing vulnerabilities have also been seen. Microsoft has observed BATLOADER used, possibly by an initial access broker (IAB), in precursor activity to Royal ransomware deployment. In March 2023, Red Sense identified GOLD SOUVENIR socially engineering targets with ‘spoof’ data extortion emails to get victims to engage, resulting in the delivery of Cobalt Strike. According to the Cybersecurity and Infrastructure Security Agency (CISA), threat actors deploying Royal ransomware have used Chisel, PuTTy and MobaXterm for command and control (C2) communications. RDP has been used for lateral movement in Black Suit compromises, while legitimate remote management and monitoring (RMM) tools and SystemBC have been used for remote access and persistence. Mimikatz use has been observed used for credential harvesting, while GMER and PowerTool are used for defense evasion.