GOLD SOUTHFIELD

Threat Actor updated 4 months ago (2024-05-04T21:18:23.003Z)

Download STIX

Preview STIX

Gold Southfield is a threat actor group known for its malicious cyber activities. Secureworks® Counter Threat Unit™ (CTU) researchers have found significant overlaps in the code structure of LV ransomware and REvil, a ransomware operated by Gold Southfield. This suggests that Gold Southfield may have sold or shared the source code, or it could have been stolen. Furthermore, similarities between REvil and GandCrab ransomware suggest a connection between Gold Southfield and another threat group, Gold Garden. Gold Southfield has also been linked to the distribution of Sodinokibi ransomware through ScreenConnect/ConnectWise, highlighting their use of remote desktop management software for their operations. In 2020, unauthorized manipulation of REvil by another threat group, Gold Northfield, was observed. This action is likely to prompt Gold Southfield to implement additional anti-tamper controls and modify configuration storage and processing to prevent future tampering attempts. Gold Southfield's methods appear to be adopted by Gold Northfield, including the tracking of individual Ransomware-as-a-Service (RaaS) partners and campaigns. Despite announcing the cessation of its RaaS operation, Gold Southfield did not indicate refraining from deploying ransomware, implying continued threats. In March 2021, a member of Gold Southfield hinted at a shift in their target selection strategy. They suggested that future victims would be identified by targeting cyber insurance providers and identifying their customers. This new approach shows an evolution in their tactics and a potential increase in threat level. Gold Southfield, along with other groups like Gold Waterfall, has accepted cryptocurrencies like Bitcoin and Monero as ransom payments in the past, further complicating the tracking and prosecution of these threat actors.

Description last updated: 2024-05-04T20:56:55.336Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
REvil	3	REvil is a type of malware, specifically ransomware, that has been linked to significant cyber attacks. It emerged as part of the Ransomware as a Service (RaaS) model that gained popularity in 2020. This model established relationships between first-stage malware and subsequent ransomware attacks, s

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Gandcrab	Unspecified	2	GandCrab, a threat actor, is known for its malicious activities involving ransomware attacks. Originating from Russian origins and evolving from Team Truniger, a former GandCrab affiliate, the group has been linked to numerous ransomware variants including Bad Rabbit, LockBit 2.0, STOP/DJVU, and REv

Source Document References

Information about the GOLD SOUTHFIELD Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
MITRE	2 years ago	Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies
MITRE	2 years ago	REvil/Sodinokibi Ransomware
MITRE	2 years ago	REvil Ransomware: The GandCrab Connection
Secureworks	2 years ago	Ransomware Evolution
Secureworks	2 years ago	LV Ransomware