GOLD WATERFALL

GOLD WATERFALL is a group of financially motivated cybercriminals responsible for the creation, distribution, and operation of the Darkside and BlackMatter ransomware families. Active since August 2020, GOLD WATERFALL uses a variety of tactics, techniques, and procedures (TTPs) to infiltrate and move laterally within targeted organizations to deploy Darkside ransomware to its most valuable resources. Among these TTPs are using malicious documents delivered by email to establish a foothold and using stolen credentials to access victims' remote access services. In November 2020, the "darksupp" persona was observed advertising an affiliate program on several semi-exclusive underground forums, marking GOLD WATERFALL's entry into the ransomware-as-a-service (RaaS) landscape.

GOLD WATERFALL advertises in the Russian language and requires affiliates to speak Russian. The group also disallows operations in the Russian Federation, or its near abroad, including the Commonwealth of Independent States (CIS) countries, and against close allies such as Syria. GOLD WATERFALL offers to provide qualified affiliates with a favorable profit-sharing arrangement and offensive security tools (OSTs) such as Cobalt Strike and Immunity CANVAS to use in attacks. Like other ransomware groups, GOLD WATERFALL has sought to elevate its notoriety by claiming that it only targets profitable organizations and excludes "medicine, education, public sector, and non-profits".

CTU researchers assess with high confidence that GOLD WATERFALL is an experienced cybercriminal group that previously operated as an affiliate of GOLD SOUTHFIELD's REvil ransomware. Darkside ransomware appears to be created independently of REvil or GandCrab but shares several architectural similarities that suggest that the Darkside author is familiar with those families. In February 2020, third-party researchers asserted Darkside was operated by the GOLD NIAGARA (also known as CARBON SPIDER or FIN7) threat group, but CTU researchers have been unable to corroborate those findings with independent observations.

In May 2021, an affiliate of GOLD WATERFALL used Darkside to attack U.S.-based Colonial Pipeline resulting in a week long shutdown of pipelines delivering refined petroleum to large portions of the U.S. eastern seaboard. The victim paid the ransom but U.S. law enforcement ultimately recovered the majority of the payment by seizing the bitcoins as they transited U.S. infrastructure. In late May the "darksupp" persona was banned from the underground forum where Darkside partnerships were advertised. In late July the "Blackmatter" persona began soliciting for the purchase of access to corporate networks on underground forums. CTU researchers assess with moderate confidence that BlackMatter is operated by the GOLD WATERFALL threat group and with high confidence that it is a derivative of Darkside.