Gold Mystic

Malware updated 7 months ago (2024-05-05T02:18:10.801Z)
Download STIX
Preview STIX
Gold Mystic, also known as LockBit and Water Selkie, is a notable threat group that began ransomware operations in 2019. They adopted the LockBit name for their file-encrypting malware in 2020 and listed their first victims on the leak site in September of the same year. After a six-month period of apparent inactivity, Gold Mystic launched LockBit 2.0 in June 2021, an enhanced version of the ransomware that was touted as being more user-friendly and easier to implement. The group has had several iterations since its inception, including LockBit Red, LockBit Black, and LockBit Green, with the cybercrime syndicate also secretly developing a new version called LockBit-NG-Dev before its infrastructure was dismantled. Despite the dominance of established names like Gold Mystic (LockBit), Gold Blazer (BlackCat/ALPV), and Gold Tahoe (Cl0p) in the ransomware landscape, new groups are emerging and listing significant victim counts on "name and shame" leak sites. SecureWorks Counter Threat Unit (CTU), which is tracking the group under the name Gold Mystic, investigated 22 compromises featuring LockBit ransomware from July 2020 through January 2024, some of which relied solely on data theft to extort victims. Gold Mystic's LockBit remains at the forefront, with nearly three times the number of victims as the next most active group, BlackCat, operated by Gold Blazer. During the 12-month period covered, a LockBit operator, dubbed Gold Mystic by Secureworks, was the most active ransomware group, publishing nearly three times the number of victims as the next most active group, ALPHV(BlackCat), operated by a group known as Gold Blazer. According to Secureworks' observations based on 22 incident response engagements over the past three years, LockBit's origins can be traced back to Gold Mystic.
Description last updated: 2024-05-05T01:45:02.611Z
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Lockbit is a possible alias for Gold Mystic. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Gold Blazer Threat Actor is associated with Gold Mystic. GOLD BLAZER is a threat actor identified as the operator of the BlackCat/ALPV ransomware. This group, along with others such as GOLD MYSTIC (LockBit) and GOLD TAHOE (Cl0p), continues to dominate the ransomware landscape. While these established groups maintain their stronghold, new threat actors areUnspecified
2
Source Document References
Information about the Gold Mystic Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more