GOLD HERON

GOLD HERON was a financially motivated cybercriminal threat group responsible for the distribution of the DoppelPaymer and Grief ransomware families. CTU researchers assess with moderate confidence that GOLD HERON was comprised of former operators from the GOLD DRAKE threat group. At the time of the split, GOLD DRAKE operated both the BitPaymer ransomware and Dridex botnet and GOLD HERON was thought to be in possession of the source code for both malware families. GOLD HERON adopted the name DoppelPaymer for their ransomware after security researchers used the moniker to refer to it publicly. Intrusions largely relied on the modified Dridex malware, colloquially referred to as Dridex 2.0, for both initial access and lateral movement. GOLD HERON used spam emails, sometimes delivered using the Cutwail v2 botnet, to deliver Dridex onto victims' networks. Frequently, PowerShell Empire or Cobalt Strike were also deployed into the environment to augment the capabilities of Dridex.

In January 2022 GOLD HERON, then the only active operator of Dridex, ceased actively distributing the malware. The volume of victims steadily decreased on the Grief leak site until the site went down permanently on May 2, 2022.