GOLD NORTHFIELD

Operational since at least October 2020, GOLD NORTHFIELD is a financially motivated cybercriminal threat group that leverages GOLD SOUTHFIELD's REvil ransomware in their attacks. To do this, the threat actors replace the configuration of the REvil ransomware binary with their own in an effort to repurpose the ransomware for their operations. GOLD NORTHFIELD has given this modified REvil ransomware variant the name "LV ransomware".

GOLD NORTHFIELD operates multiple Tor-based ransom payment sites and at least two different name-and-shame leak sites that are both active and follow the same format but contain mostly unique victims. It is not yet understood why they would operate two distinct leak sites. In posts made to the leak sites, GOLD NORTHFIELD typically threatens to publicly release sensitive information if victims do not initiate contact within 72 hours. The threat actors include screenshots of the victim’s sensitive files to support their claims. However, it appears that none of the victims’ data has been released as of this publication. It is unclear if victims paid the ransom and the threat actors just keep the full list of victims on the leak site as evidence of their conquests.

Although CTU researchers have not observed LV ransomware advertisements on underground forums as of this publication, variations in partner and campaign IDs across LV configurations and the practice of naming and shaming victims could indicate that GOLD NORTHFIELD may operate a ransomware-as-a-service (RaaS) offering.