>samit_hota
Back to adversary profiles
G0115CriticalDisbanded

GOLD SOUTHFIELD: The Rise and Fall of the REvil Ransomware Empire

Samit Hota·
Suspected Origin
Russia / Russian-speaking
Motivation
Financial Gain
Aliases
Pinchy Spider
Target Sectors
Critical Infrastructure, Government, Technology, Manufacturing, Food Processing, Financial Services, Managed Service Providers (MSPs), Legal, Healthcare, Data Centers
Associated Malware
REvil (Sodinokibi), GandCrab, ConnectWise Control, Cobalt Strike, Certutil, VIDAR
#threat-actor#g0115

Overview

GOLD SOUTHFIELD, also widely known by its alias Pinchy Spider, and infamously as the operators of the REvil (or Sodinokibi) ransomware, was a highly sophisticated and financially motivated cybercriminal group. Active since at least 2018 with their GandCrab ransomware, they quickly evolved into one of the most prolific and impactful ransomware-as-a-service (RaaS) operations in history. Our intelligence indicates that GOLD SOUTHFIELD originated from Russia or Russian-speaking regions, a conclusion supported by their consistent policy of not targeting organizations within Russia or other Commonwealth of Independent States (CIS) countries.

The group’s operational model was built on a RaaS framework, where the core GOLD SOUTHFIELD team developed and maintained the REvil ransomware and its backend infrastructure. They recruited affiliates through underground forums to distribute the malware and execute attacks. This partnership program allowed affiliates to keep a significant percentage of ransom payments, often a 60-40 or even 70-30 split in their favor, incentivizing widespread attacks. By early 2020, GOLD SOUTHFIELD became a pioneer in the “double extortion” tactic, not only encrypting victims’ data but also exfiltrating sensitive information and threatening to publish it on their dedicated “Happy Blog” leak site or auction it on underground forums if ransoms were not paid.

REvil is largely considered a direct successor to the GandCrab ransomware, which GOLD SOUTHFIELD (then known as Pinchy Spider) also operated. The transition occurred around April 2019, shortly after the GandCrab operators announced their retirement, and analysis revealed significant code similarities between the two ransomware strains. This evolution demonstrated the group’s adaptability and commitment to maximizing financial gain.

Tactics & Techniques

GOLD SOUTHFIELD, through its REvil affiliates, employed a range of aggressive and adaptable tactics to achieve initial access and propagate their ransomware. A common entry vector involved exploiting publicly-facing application vulnerabilities, including those in Oracle WebLogic, Citrix, Pulse Secure, Fortinet, and Microsoft Exchange servers. They also leveraged publicly accessible Remote Desktop Protocol (RDP) servers and remote monitoring and management (RMM) software to gain initial footholds. Malicious spam campaigns (malspam) and targeted phishing emails were also observed methods for distributing REvil.

A particularly effective tactic was supply chain compromise, where GOLD SOUTHFIELD backdoored legitimate software installers or breached Managed Service Providers (MSPs) to deliver ransomware to a wide array of downstream clients. The notorious Kaseya VSA attack in 2021 is a prime example of this strategy.

Once inside a network, GOLD SOUTHFIELD affiliates demonstrated sophisticated post-exploitation capabilities. They staged and executed PowerShell scripts, often base64 encoded, for various purposes, including enumeration and payload deployment. For lateral movement and command and control, they were known to utilize legitimate remote access tools like ConnectWise Control and powerful penetration testing tools such as Cobalt Strike, deploying “beacons” to maintain persistent access and control over compromised machines.

Defense evasion was a core component of their operations. Affiliates would attempt to disable endpoint protection tools, reboot systems into Safe Mode to bypass security software during encryption, and seek out and compromise security management consoles to disable protections across the network. The REvil malware itself was designed to be difficult to detect and highly evasive.

The group’s motivation was purely financial, driving them to target high-value organizations capable of paying substantial ransoms, a strategy often referred to as “big game hunting.” Beyond data encryption, their double extortion model added immense pressure on victims, with threats of public data leaks or auctions of stolen information if demands were not met. There were also discussions of adopting triple extortion, incorporating Distributed Denial of Service (DDoS) attacks.

Notable Campaigns

Throughout its operational lifespan, GOLD SOUTHFIELD, primarily through its REvil ransomware, was responsible for numerous high-profile and disruptive cyber incidents:

  • Texas Local Governments (2019): In a coordinated attack, several local government entities in Texas fell victim to REvil ransomware.
  • CyrusOne (2019): A major US data center provider suffered a ransomware attack impacting its services.
  • Travelex (Late 2019/Early 2020): This global foreign exchange company was severely crippled, leading to significant operational disruption and eventually its entry into administration.
  • Kenneth Cole Productions (February 2020): The fashion house was hit, and the group later published stolen financial and personal customer data.
  • Grubman Shire Meiselas & Sacks (May 2020): This New York-based entertainment law firm, with a high-profile client list, was breached, and GOLD SOUTHFIELD reportedly attempted to extort then-U.S. President Donald Trump for $42 million with stolen data.
  • Acer (March 2021): The electronics and computer manufacturer was targeted, with attackers demanding a $50 million ransom after exploiting vulnerabilities in Microsoft Exchange servers.
  • Quanta Computer (April 2021): A key Apple supplier was breached, leading to the theft of confidential design schematics for unreleased Apple products, and a $50 million ransom demand (later escalating to $100 million).
  • JBS Foods (May 2021): As the world’s largest meat supplier, JBS suffered significant disruptions to its beef, poultry, and pork processing operations globally, ultimately paying an $11 million ransom.
  • Kaseya VSA Supply Chain Attack (July 2021): This was one of the most impactful incidents, where GOLD SOUTHFIELD exploited a zero-day vulnerability in Kaseya’s VSA remote management software. This allowed them to push ransomware updates through MSPs to up to 1,500 businesses worldwide, severely affecting critical services, including the closure of 800 Coop grocery stores in Sweden.
  • HX5 (July 2021): A Florida-based space and weapon-launch technology contractor, with clients including the US Army, Navy, Air Force, and NASA, was compromised, and stolen documents were released on their Happy Blog.

Associated Malware & Tools

The primary malware associated with GOLD SOUTHFIELD is REvil, also known as Sodinokibi. This ransomware was the group’s flagship offering, developed and constantly refined to ensure its effectiveness and evasiveness.

Prior to REvil, the group was responsible for the development and operation of GandCrab ransomware, which was active from at least January 2018.

Beyond their proprietary ransomware, GOLD SOUTHFIELD and its affiliates utilized a variety of off-the-shelf and legitimate tools to facilitate their operations:

  • ConnectWise Control: A cloud-based remote management and monitoring (RMM) tool, used for deploying REvil and obtaining screen captures.
  • Cobalt Strike: A commercial penetration testing tool frequently abused by threat actors for post-exploitation activities, including lateral movement and establishing persistent beacons.
  • Certutil: A legitimate Windows command-line utility for managing certificates, sometimes misused for decoding data or downloading payloads.
  • VIDAR: An information stealer, potentially used by affiliates to collect credentials and other sensitive data prior to ransomware deployment.
  • DanaBot and Taurus Loader: These loaders and banking Trojans were observed distributing GandCrab and Sodinokibi ransomware in earlier campaigns, indicating partnerships with other criminal groups.

Current Status

GOLD SOUTHFIELD, as the operators of the REvil RaaS, faced significant disruption beginning in 2021. Their infrastructure, including dark web leak sites, was forced offline in July 2021, followed by a reported hack of their servers in October 2021.

The major blow came in January 2022, when the Russian Federal Security Service (FSB), acting on intelligence provided by U.S. authorities, announced it had “dismantled” the REvil ransomware group. This operation led to 14 arrests across Russia and the seizure of substantial assets, including cryptocurrency, cash, and luxury vehicles acquired with ransomware profits. Law enforcement efforts also resulted in indictments and arrests of several affiliates and members in other countries, including Belarus (2020), Romania and Kuwait (2021), and Ukraine (2021). Crucially, the FBI obtained and released a master decryption key, allowing many victims to recover their data without paying the ransom.

While there were reports of REvil’s infrastructure briefly resuming activity and new samples being uploaded in April 2022, indicating possible attempts at re-emergence by developers with access to the original source code, these efforts appear to have been largely unsuccessful or unsustained as a major, coordinated operation. Most recent analyses refer to REvil’s “demise” and “shutdown” as a significant, albeit temporary, victory in the fight against ransomware.

Given the coordinated law enforcement actions, arrests, and the sustained disruption of their infrastructure, GOLD SOUTHFIELD is considered largely disbanded in its original, highly organized form. However, the threat landscape is dynamic, and while REvil as a specific brand may be defunct, the tactics and former affiliates could re-emerge under new monikers or join other RaaS operations, emphasizing the need for continued vigilance against evolving ransomware threats.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call