Gold Waterfall

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
GOLD WATERFALL is a notable threat actor in the cybersecurity landscape, known for its operation of the Darkside ransomware. This group was previously affiliated with REvil before developing and deploying its own ransomware, Darkside. Within less than a year of operation, GOLD WATERFALL reportedly accumulated $90 million, with an average ransom demand per victim significantly higher than that of other groups like the now-defunct Maze ransomware group. The group has also been identified as using sophisticated techniques such as Cobalt Strike for lateral movement within compromised environments prior to deploying their ransomware. The group's operations have caused significant disruption, notably in the case of an attack on the Colonial Pipeline network in the eastern U.S., which resulted in substantial fuel delivery issues. This incident was attributed to GOLD WATERFALL by the U.S. Federal Bureau of Investigation (FBI). To maintain persistence in their operations, GOLD WATERFALL utilized tools like the Non-Sucking Service Manager (nssm.exe) to install Tor as a service, further complicating efforts to track and mitigate their activities. Moreover, GOLD WATERFALL has demonstrated advanced capabilities in obfuscating their financial transactions. Unlike most groups that require Bitcoin, GOLD WATERFALL has accepted Monero in the past, a cryptocurrency known for its enhanced privacy features. The group also pays its affiliates with mixed or 'tumbled' cryptocurrencies, a method used to obscure the transit of cash between wallets and limit chances of detection and seizure. As of May 13, GOLD WATERFALL ended its Ransomware-as-a-Service (RaaS) operations, but the future activities of this group remain uncertain.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
DarkSide
1
DarkSide is a notable threat actor that emerged in the cybersecurity landscape with its advanced ransomware operations. In 2021, the group gained significant attention for its attack on the United States' largest oil pipeline, Colonial Pipeline, causing a temporary halt to all operations for three d
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
RaaS
Bitcoin
Ransomware
Lateral Move...
Ransom
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
REvilUnspecified
1
REvil is a notorious form of malware, specifically ransomware, that infiltrates systems to disrupt operations and steal data. The ransomware operates on a Ransomware as a Service (RaaS) model, which gained traction in 2020. In this model, REvil, like other first-stage malware such as Dridex and Goot
Maze RansomwareUnspecified
1
Maze ransomware is a type of malware that emerged in 2019, employing a double extortion tactic to wreak havoc on its victims. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
GOLD SOUTHFIELDUnspecified
1
Gold Southfield is a threat actor group known for its malicious cyber activities. Secureworks® Counter Threat Unit™ (CTU) researchers have found significant overlaps in the code structure of LV ransomware and REvil, a ransomware operated by Gold Southfield. This suggests that Gold Southfield may hav
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Gold Waterfall (DarksideUnspecified
1
None
Source Document References
Information about the Gold Waterfall Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Secureworks
a year ago
Phases of a Post-Intrusion Ransomware Attack
Secureworks
a year ago
Ransomware Evolution