Gold Waterfall

Threat Actor Profile Updated 24 days ago
Download STIX
Preview STIX
GOLD WATERFALL is a notable threat actor in the cybersecurity landscape, known for its operation of the Darkside ransomware. This group was previously affiliated with REvil before developing and deploying its own ransomware, Darkside. Within less than a year of operation, GOLD WATERFALL reportedly accumulated $90 million, with an average ransom demand per victim significantly higher than that of other groups like the now-defunct Maze ransomware group. The group has also been identified as using sophisticated techniques such as Cobalt Strike for lateral movement within compromised environments prior to deploying their ransomware. The group's operations have caused significant disruption, notably in the case of an attack on the Colonial Pipeline network in the eastern U.S., which resulted in substantial fuel delivery issues. This incident was attributed to GOLD WATERFALL by the U.S. Federal Bureau of Investigation (FBI). To maintain persistence in their operations, GOLD WATERFALL utilized tools like the Non-Sucking Service Manager (nssm.exe) to install Tor as a service, further complicating efforts to track and mitigate their activities. Moreover, GOLD WATERFALL has demonstrated advanced capabilities in obfuscating their financial transactions. Unlike most groups that require Bitcoin, GOLD WATERFALL has accepted Monero in the past, a cryptocurrency known for its enhanced privacy features. The group also pays its affiliates with mixed or 'tumbled' cryptocurrencies, a method used to obscure the transit of cash between wallets and limit chances of detection and seizure. As of May 13, GOLD WATERFALL ended its Ransomware-as-a-Service (RaaS) operations, but the future activities of this group remain uncertain.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Gold Waterfall Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Secureworks
a year ago
Phases of a Post-Intrusion Ransomware Attack
Secureworks
a year ago
Ransomware Evolution