GOLD LOWELL

GOLD LOWELL was a financially motivated cybercriminal threat group that targeted victims with organization-wide attacks using the Samas (also known as SamSam) ransomware. GOLD LOWELL was active from late 2015 through November 28, 2018 when the U.S. Department of Justice indicted the two Iranian nationals who operated the group. CTU researchers assess with moderate confidence that GOLD LOWELL was not operated at the direction or knowledge of the Iranian government or its proxies. The group remained active until the day of the indictments, at which point they ceased operation. GOLD LOWELL mostly targeted organizations of all sizes and verticals within the United States and had increasingly targeted entities in the United Kingdom towards the end of their operation.

Through 2016, GOLD LOWELL used scan-and-exploit tactics against vulnerable web applications that were then used to access the target's internal network. From early 2017 until cessation of activity the group relied on weak authentication on publicly facing services, primarily remote access services like RDP, to gain a foothold on the target network. These attacks relied heavily on compromised credentials acquired through a combination of self-operated brute force attacks and purchase from underground markets. Once inside a network GOLD LOWELL used a variety of techniques to obtain Domain Administrator privileges and launch Samas from one or more domain controllers. They used batch scripts to enumerate endpoints on the target network and PsExec to execute Samas on each in a systematic fashion.