Gold Waterfall

GOLD WATERFALL is a notable threat actor in the cybersecurity landscape, known for its operation of the Darkside ransomware. This group was previously affiliated with REvil before developing and deploying its own ransomware, Darkside. Within less than a year of operation, GOLD WATERFALL reportedly accumulated $90 million, with an average ransom demand per victim significantly higher than that of other groups like the now-defunct Maze ransomware group. The group has also been identified as using sophisticated techniques such as Cobalt Strike for lateral movement within compromised environments prior to deploying their ransomware. The group's operations have caused significant disruption, notably in the case of an attack on the Colonial Pipeline network in the eastern U.S., which resulted in substantial fuel delivery issues. This incident was attributed to GOLD WATERFALL by the U.S. Federal Bureau of Investigation (FBI). To maintain persistence in their operations, GOLD WATERFALL utilized tools like the Non-Sucking Service Manager (nssm.exe) to install Tor as a service, further complicating efforts to track and mitigate their activities. Moreover, GOLD WATERFALL has demonstrated advanced capabilities in obfuscating their financial transactions. Unlike most groups that require Bitcoin, GOLD WATERFALL has accepted Monero in the past, a cryptocurrency known for its enhanced privacy features. The group also pays its affiliates with mixed or 'tumbled' cryptocurrencies, a method used to obscure the transit of cash between wallets and limit chances of detection and seizure. As of May 13, GOLD WATERFALL ended its Ransomware-as-a-Service (RaaS) operations, but the future activities of this group remain uncertain.