GOLD VILLAGE

GOLD VILLAGE was a group of financially motivated cybercriminals responsible for the development of the Maze ransomware and associated infrastructure. Active from May 2019 to November 2020, GOLD VILLAGE self-identified as the Maze Team. Maze was distributed by high-volume spam campaigns, browser exploit kits, brute forcing remote access services, and scan-and-exploit attacks against Internet facing infrastructure. Increasingly over its lifetime Maze was used to perpetrate organization-wide ransomware deployments. In November 2019, Maze became notable for regularly exfiltrating large volumes of data from victim's networks prior to executing the ransomware, and then threatening victims with public release of the data as additional leverage to pay the ransom.

GOLD VILLAGE was thought to have operated Maze using a ransomware-as-service (RaaS) model where individual affiliates redistributed the malware during their own attacks. In addition to operating Maze on behalf of others, the GOLD VILLAGE principals likely continued perpetrating attacks on their own behalf. In June 2020, GOLD VILLAGE introduced the "Maze Cartel" concept that created a confederation of ransomware operators including those using Maze, Ragnar Locker, LockBit, and purportedly SunCrypt. In November 2020, GOLD VILLAGE publicly announced the cessation of operations and disclaimed the existence of the "Maze Cartel."