Description
[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2018 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)
Techniques Used (TTPs)
- T1199 — Trusted Relationship (initial-access)
- T1190 — Exploit Public-Facing Application (initial-access)
- T1113 — Screen Capture (collection)
- T1219 — Remote Access Tools (command-and-control)
- T1195.002 — Compromise Software Supply Chain (initial-access)
- T1027.010 — Command Obfuscation (defense-evasion)
- T1133 — External Remote Services (persistence, initial-access)
- T1059.001 — PowerShell (execution)
- T1566 — Phishing (initial-access)
Total TTPs: 9
Malware & Tools
Malware: REvil
Tools: ConnectWise