GOLD IONIC

GOLD IONIC is a financially motivated cybercriminal threat group that operate the INC Ransom leak site, which they use to name the victims of their extortion and ransomware operations. The group emerged in July 2023, and since then have listed victim names on their leak site at an average of around 10 a month. The vast majority of alleged victims are based in the U.S. GOLD IONIC operate a double extortion model, first stealing victim data and then encrypting systems, demanding payment for decryption keys and threatening to leak the data online should the victim fail to comply with their demands. There are no indications that GOLD IONIC operate an affiliate model, although they have posted victims of other ransomware groups, specifically ALPHV/BlackCat, to their leak site. This may have been due to the law enforcement action that rendered the ALPHV/BlackCat site inaccessible, forcing affiliates to looks elsewhere for accommodating groups to assist them with posting victim data.

GOLD IONIC use compromised credentials to gain access to a victim environment and move laterally using RDP (Remote Desktop Protocol). Third-party researchers have also observed the group exploiting the 'Citrix Bleed' vulnerability (CVE-2023-3519). CTU researchers have seen GOLD IONIC use Metasploit and PsExec, as well as MegaSync for the exfiltration of data from victim networks. GOLD IONIC also use a range of other commercial-off-the-shelf (COTS) tools and LOLBins once inside a vicim network for discovery and lateral movement.

GOLD IONIC encrypt victim files, adding the .INC extension, and drop both .txt and .html ransom notes with the file name INC-README. GOLD IONIC have also been observed using network-connected printers to print out physical copies of the ransom notes in the victim environment. These ransom notes contain a unique link for each victim, which directs them towards a Tor-hosted payment portal.