GOLD LOTUS

GOLD LOTUS is a financially motivated cybercriminal threat group that operates the BlackByte name-and-shame ransomware-as-a-service (RaaS). GOLD LOTUS posted its first victim to the BlackByte leak site in August 2021, and since then steadily named victims at an average rate of around five a month until late 2023. After October 2023, the rate of naming victims dropped significantly and GOLD LOTUS listed just a single victim on the leak site every few months.

As BlackByte is operated as a RaaS, different affiliates deploy the ransomware, so a variety of TTPs are likely to be observed across intrusions. CTU researchers have observed BlackByte affiliates exploiting the ProxyShell vulnerability chain in Microsoft Exchange servers for initial access, before using Cobalt Strike for post-intrusion activity. Open-source scanning tools, such as the SoftPerfect Network Scanner, are used for reconnaissance, while RDP has been exploited for lateral movement. In addition to deploying the BlackByte ransomware, affiliates have been observed accessing a domain controller and changing the passwords for administrator accounts, likely to hamper recovery efforts. The FBI reports that on some occasions, BlackByte has only partially encrypted files, allowing for data recovery without the need for the decryption tool. In October 2022, Symantec reported on a BlackByte affiliate using a custom tool called Exbyte to exfiltrate data to the MEGA cloud storage service.

BlackByte ransom notes are delivered to all impacted hosts and contain instructions on how to recover data. As with most groups, GOLD LOTUS directs victims to communicate through a negotiation portal hosted on Tor. Samples of victim data are stored on the AnonFiles file storage service.