Gold Mystic

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

Gold Mystic, also known as LockBit and Water Selkie, is a notable threat group that began ransomware operations in 2019. They adopted the LockBit name for their file-encrypting malware in 2020 and listed their first victims on the leak site in September of the same year. After a six-month period of apparent inactivity, Gold Mystic launched LockBit 2.0 in June 2021, an enhanced version of the ransomware that was touted as being more user-friendly and easier to implement. The group has had several iterations since its inception, including LockBit Red, LockBit Black, and LockBit Green, with the cybercrime syndicate also secretly developing a new version called LockBit-NG-Dev before its infrastructure was dismantled. Despite the dominance of established names like Gold Mystic (LockBit), Gold Blazer (BlackCat/ALPV), and Gold Tahoe (Cl0p) in the ransomware landscape, new groups are emerging and listing significant victim counts on "name and shame" leak sites. SecureWorks Counter Threat Unit (CTU), which is tracking the group under the name Gold Mystic, investigated 22 compromises featuring LockBit ransomware from July 2020 through January 2024, some of which relied solely on data theft to extort victims. Gold Mystic's LockBit remains at the forefront, with nearly three times the number of victims as the next most active group, BlackCat, operated by Gold Blazer. During the 12-month period covered, a LockBit operator, dubbed Gold Mystic by Secureworks, was the most active ransomware group, publishing nearly three times the number of victims as the next most active group, ALPHV(BlackCat), operated by a group known as Gold Blazer. According to Secureworks' observations based on 22 incident response engagements over the past three years, LockBit's origins can be traced back to Gold Mystic.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Lockbit	2	LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
Water Selkie	1	None
Lockbit Green	1	LockBit, also known as Gold Mystic and Water Selkie, is a notorious ransomware group that has been active since its inception in September 2019. It has developed several variants of its malware over the years, including LockBit 1.0, LockBit 2.0, LockBit 3.0, and most recently, LockBit Green. The gro

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Malware

Secureworks

Cybercrime

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Clop	Unspecified	1	Clop is a notorious malware, short for malicious software, known for its disruptive and damaging effects on computer systems. It primarily infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Clop can steal personal information, disrupt o

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Gold Blazer	Unspecified	2	GOLD BLAZER is a threat actor identified as the operator of the BlackCat/ALPV ransomware. This group, along with others such as GOLD MYSTIC (LockBit) and GOLD TAHOE (Cl0p), continues to dominate the ransomware landscape. While these established groups maintain their stronghold, new threat actors are
Alphv	Unspecified	1	AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Gold Mystic Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	8 months ago	Ransomware Dwell Time Hits Low of 24 Hours \| #ransomware \| #cybercrime \| National Cyber Security Consulting
InfoSecurity-magazine	10 months ago	Record Numbers of Ransomware Victims Named on Leak Sites
CERT-EU	5 months ago	Authorities Claim LockBit Admin "LockBitSupp" Has Engaged with Law Enforcement \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	5 months ago	LockBit Ransomware Threat Persists \| MSSP Alert \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	5 months ago	U.S. Offers $15 Million Bounty to Hunt Down LockBit Ransomware Leaders \| #ransomware \| #cybercrime \| National Cyber Security Consulting