GOLD NORTHFIELD
Objectives
Tools
SUMMARY
2025-02-03 (mitchell)
GOLD NORTHFIELD is a financially motivated cybercriminal threat group that repurposed GOLD SOUTHFIELD's REvil ransomware in their name-and-shame extortion attacks. To do this, the threat actors replaced the configuration of the REvil ransomware binary with their own and gave this modified variant the name "LV ransomware". GOLD NORTHFIELD posted its first victim name to a leak site in March 2021 and by late November 2022, when the group appeared to shutter its operation, nearly 120 victims had been named.
GOLD NORTHFIELD operated multiple Tor-based ransom payment sites and at least two different name-and-shame leak sites, both of which followed the same format but contained mostly unique victims. It is not clear why the group operated two distinct leak sites. GOLD NORTHFIELD typically threatened to publicly release sensitive information if victims did not initiate contact within 72 hours. The threat actors included screenshots of the victim’s sensitive files to support their claims.
Although CTU researchers did not observe GOLD NORTHFIELD advertising for affiliates on underground forums, variations in partner and campaign IDs across LV configurations suggest that LV ransomware may have been deployed by multiple individuals.
Threat Analysis
LV RansomwareContact Us
Contact us directly whether your organization needs immediate assistance or you want to discuss your incident readiness, response, and testing needs.