In late November 2023, cybersecurity researchers from Unit 42 identified a new ransomware operation named Golden Scale. The operation has been attributed to the threat actor group known as ShinySp1d3r, which is also tracked as DEV-0832. The name Golden Scale was assigned by the researchers based on a distinctive image of a golden scale of justice used within the ransom note left on compromised systems.

The investigation into Golden Scale began following an incident response case. The ransomware payload itself was discovered as an executable file named gift.exe. This file is responsible for the encryption process on a victim’s network.

Golden Scale’s Operational Toolkit and Encryption

The attackers deployed a specific set of tools during the incident. Discovery scripts included Get-AD-Info.ps1, used to gather information about the Active Directory environment, and Find-Clone.ps1, used to locate domain controllers. A network scanner, named scanner.exe, was also utilized by the threat actors. The primary payload, gift.exe, initiates the encryption of files. The encryption process uses an AES-256 algorithm for individual files and an RSA-4096 key to protect the AES key. After encryption, files are appended with the .gift extension. A ransom note titled How_to_Recover_My_Files.txt is then created in each directory, which directs victims to a Tor negotiation portal hosted on a TOX chat service.

Attribution and Overlaps with Black Basta

The Golden Scale operation shows significant overlaps with the established Black Basta ransomware. The discovery scripts and the network scanner used in the Golden Scale incident are identical to those previously observed in Black Basta operations. Furthermore, the TOX chat server ID provided in the Golden Scale ransom note for negotiations was also used in prior Black Basta incidents. These technical overlaps link the new Golden Scale ransomware to the existing activities of the ShinySp1d3r threat group, which has a documented history of developing and operating various ransomware families, including BlackCat/ALPHV.

Source: https://unit42.paloaltonetworks.com/new-shinysp1d3r-ransomware/