The GOLD IONIC ransomware group, known as INC, has been a focal point of cybersecurity concerns since its emergence in August 2023. Researchers from Secureworks® Counter Threat Unit™ (CTU) are diligently monitoring their activities, noting a pattern of opportunistic attacks that have affected numerous sectors across multiple countries.
"GOLD IONIC employs a double extortion method, where they first extract data from their targets before encrypting systems. This strategy allows them to leverage the possibility of public data exposure against victims during ransom negotiations," explained a member of the CTU research team.
Since its inception, GOLD IONIC has listed 72 victims on its Tor leak site, with seven victims named in April alone. While a significant portion of their targets are based in the United States, the group's influence appears to be expanding internationally.
Victims of GOLD IONIC span a variety of sectors, with industrial, healthcare, and educational institutions being the most frequently affected. The broad distribution of these attacks highlights the indiscriminate nature of such ransomware operations. "Many financially motivated groups operate opportunistically, leading to a diverse array of victims across different geographies and sectors," noted the research team.
"Many financially motivated groups operate opportunistically, leading to a diverse array of victims across different geographies and sectors,"
The research indicates that GOLD IONIC’s victimology primarily affects U.S. organizations, followed by a handful from the UK, suggesting possible operational bases in Russia or surrounding regions. The consistency of their attacks and the lack of victims from Commonwealth of Independent States (CIS) countries reinforces this theory.
Despite the group’s reach across various sectors, there is a marked absence of discernible trends in the types of organizations targeted. The researchers pointed out that educational institutions have been particularly affected by GOLD IONIC, with their presence exceeding the typical representation seen across all ransomware groups, where education accounts for only about 5% of victims.
Operations linked to GOLD IONIC have shown how they deploy INC ransomware consistently. According to recent incident response engagements, they have utilized vulnerabilities such as the "Citrix Bleed" (CVE-2023-4966) to gain initial access to networks. This method had previously been favored by affiliates of the GOLD MYSTIC threat group, which engaged in data theft and extortion through ransomware-as-a-service.
"Citrix Bleed"
Once inside a compromised network, attackers employed various tools to further infiltrate systems and exfiltrate data. "In one case, more than 70 GB of sensitive data was exfiltrated, and the INC ransomware was distributed across over 500 systems within the organization," a cybersecurity analyst stated.
"In one case, more than 70 GB of sensitive data was exfiltrated, and the INC ransomware was distributed across over 500 systems within the organization,"
The deployed ransomware encrypted files by appending a .inc extension and left behind a ransom note titled "INC-README.txt." This note not only provided instructions for how to proceed but also included a Tor .onion address where victims could negotiate payment or face the public exposure of sensitive data.
The design and functionality of the INC ransom note mirror that of the LockBit ransomware group's leak site, suggesting a level of sophistication; however, no definitive connections between the two groups have yet been confirmed. Observers have commented on the professional appearance of the INC leak website, with one stating, “The structure and execution of their ransom demands indicate that the group is taking a strategic approach to maximize their leverage over victims.”
As GOLD IONIC continues its attacks, the ramifications for affected sectors grow, with increasing concerns about data security and operational integrity. Experts urge organizations to bolster their defenses, noting that the evolving tactics of ransomware groups like GOLD IONIC require proactive and robust cybersecurity measures.
In summary, GOLD IONIC's rise as a prominent threat within the ransomware landscape highlights the pressing need for organizations to remain vigilant. As the group adapts and enhances its tactics, comprehensive cybersecurity strategies will be essential in protecting sensitive information and maintaining operational resilience.