Gold Ulrick

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
GOLD ULRICK, also known as ITG23, is a threat actor identified for its aggressive and unrestricted operations in the cybersecurity landscape. The group has shown no hesitation in targeting healthcare organizations with Conti ransomware, a malicious software designed to block access to a computer system until a sum of money is paid. GOLD ULRICK has also been linked to Ryuk ransomware infections, where it has leveraged PowerShell scripts to create new Group Policy Objects (GPOs) to prepare the environment for the deployment of this particular ransomware. This technique involves using the Import-GPO cmdlet, indicating a high level of sophistication and expertise in their methods. In addition to Conti and Ryuk, GOLD ULRICK has utilized shares on domain controllers to distribute Ryuk to compromised environments via batch files and PowerShell scripts. This further demonstrates their advanced capabilities and broad arsenal of cyber threats. It's worth noting that GOLD ULRICK is not the only threat actor employing these tactics; GOLD VILLAGE, another threat group, has used similar strategies in Maze ransomware incidents, indicating a shared methodology or potential collaboration between these groups. Despite their extensive activities, GOLD ULRICK experienced significant disruption in May 2022 due to a series of events triggered by the Russian invasion of Ukraine. This led to the shutdown of the Conti/TrickBot syndicate, a network closely associated with GOLD ULRICK. While this disruption marked a significant setback for the group, it remains crucial to stay vigilant of potential resurgences or offshoots of this threat actor given their previous impact and demonstrated capabilities.
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
ITG23
1
ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample be
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ContiUnspecified
1
Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
Maze RansomwareUnspecified
1
Maze ransomware is a type of malware that emerged in 2019, employing a double extortion tactic to wreak havoc on its victims. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for
RyukUnspecified
1
Ryuk is a sophisticated malware, specifically a ransomware variant, that has been extensively used by cybercriminal group ITG23. The group has been employing crypting techniques for several years to obfuscate their malware, with Ryuk often seen in tandem with other malicious software such as Trickbo
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Gold Ulrick Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising
Secureworks
a year ago
Phases of a Post-Intrusion Ransomware Attack
Secureworks
a year ago
Ransomware Evolution