← threatfilter.dev / all groups / GOLD SOUTHFIELD
GOLD SOUTHFIELD
Also known as: Pinchy Spider
Overview
GOLD SOUTHFIELD is a financially motivated threat group active since at least 2018 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, GOLD SOUTHFIELD started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.
Capabilities
- Supply-chain compromise — ATT&CK T1195.002
- Exploitation of public-facing / client applications — ATT&CK T1190
TTPs — 9 techniques across 6 tactics
Initial Access
-
T1190Exploit Public-Facing Application -
T1195.002Compromise Software Supply Chain -
T1199Trusted Relationship -
T1566Phishing
Execution
-
T1059.001PowerShell
Persistence
-
T1133External Remote Services
Stealth
-
T1027.010Command Obfuscation
Collection
-
T1113Screen Capture
Command and Control
-
T1219Remote Access Tools
Tools & malware (2)
ConnectWise · REvil
Reporting (3)
- The Evolution of PINCHY SPIDER from GandCrab to REvil — Meyers, Adam
- REvil/Sodinokibi Ransomware — Counter Threat Unit Research Team
- REvil: The GandCrab Connection — Secureworks