Gold Mystic

Gold Mystic, also known as LockBit and Water Selkie, is a notable threat group that began ransomware operations in 2019. They adopted the LockBit name for their file-encrypting malware in 2020 and listed their first victims on the leak site in September of the same year. After a six-month period of apparent inactivity, Gold Mystic launched LockBit 2.0 in June 2021, an enhanced version of the ransomware that was touted as being more user-friendly and easier to implement. The group has had several iterations since its inception, including LockBit Red, LockBit Black, and LockBit Green, with the cybercrime syndicate also secretly developing a new version called LockBit-NG-Dev before its infrastructure was dismantled. Despite the dominance of established names like Gold Mystic (LockBit), Gold Blazer (BlackCat/ALPV), and Gold Tahoe (Cl0p) in the ransomware landscape, new groups are emerging and listing significant victim counts on "name and shame" leak sites. SecureWorks Counter Threat Unit (CTU), which is tracking the group under the name Gold Mystic, investigated 22 compromises featuring LockBit ransomware from July 2020 through January 2024, some of which relied solely on data theft to extort victims. Gold Mystic's LockBit remains at the forefront, with nearly three times the number of victims as the next most active group, BlackCat, operated by Gold Blazer. During the 12-month period covered, a LockBit operator, dubbed Gold Mystic by Secureworks, was the most active ransomware group, publishing nearly three times the number of victims as the next most active group, ALPHV(BlackCat), operated by a group known as Gold Blazer. According to Secureworks' observations based on 22 incident response engagements over the past three years, LockBit's origins can be traced back to Gold Mystic.