G0115

GOLD SOUTHFIELDGOLD SOUTHFIELD

Also known as: GOLD SOUTHFIELD

Known aliases
1

Profile

GOLD SOUTHFIELD is a financially motivated cybercriminal threat group that authors and operates the REvil (aka Sodinokibi) ransomware on behalf of various affiliated threat groups. Operational since April 2019, the group obtained the GandCrab source code from GOLD GARDEN, the operators of GandCrab that voluntarily withdrew their ransomware from underground markets in May 2019. GOLD SOUTHFIELD is responsible for authoring REvil and operating the backend infrastructure used by affiliates (also called partners) to create malware builds and to collect ransom payments from victims. CTU researchers assess with high confidence that GOLD SOUTHFIELD is a former GandCrab affiliate and continues to work with other former GandCrab affiliates.

Aliases· 1

GOLD SOUTHFIELD

MITRE ATT&CK Group crosswalk

G0115

References

  1. http://www.secureworks.com/research/threat-profiles/gold-southfield
  2. https://www.secureworks.com/research/revil-sodinokibi-ransomware
  3. https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic
  4. https://www.secureworks.com/blog/revil-the-gandcrab-connection

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

Actor
GOLD NORTHFIELD
Actor
GOLD GARDEN
Software
REvil
Actor
GOLD WATERFALL
Actor
GOLD REBELLION
Actor
GOLD DUPONT
Sourced from MISP-Galaxy Threat Actor cluster. Curated by Adam Lundqvist, Founder at SQUR.