Introduction
GOLD SOUTHFIELD is a financially motivated threat group active since at least 2018 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, GOLD SOUTHFIELD started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked. Secureworks REvil September 2019 Secureworks GandCrab and REvil September 2019 Secureworks GOLD SOUTHFIELD CrowdStrike Evolution of Pinchy Spider July 2021
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- CyberGate
- Cyber Eye RAT
- Archelaus Beta
Attribution and Evidence
Information pending cataloguing.
References
[1] MITRE ATT&CK MITRE ATT&CK entry [2] Secureworks REvil September 2019 [3] Secureworks GandCrab and REvil September 2019 [4] Secureworks GOLD SOUTHFIELD [5] CrowdStrike Evolution of Pinchy Spider July 2021