Threat Actor Profile
Description
GOLD SOUTHFIELD is a financially motivated threat group active since at least 2018 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, GOLD SOUTHFIELD started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)
Confidence Score
Known Aliases
Tags
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (9)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['GOLD SOUTHFIELD', 'Pinchy Spider'],
'created': '2020-09-22T19:41:27.845Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a '
'financially motivated threat group active since at least 2018 '
'that operates the '
'[REvil](https://attack.mitre.org/software/S0496) '
'Ransomware-as-a Service (RaaS). [GOLD '
'SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides '
'backend infrastructure for affiliates recruited on '
'underground forums to perpetrate high value deployments. By '
'early 2020, [GOLD '
'SOUTHFIELD](https://attack.mitre.org/groups/G0115) started '
'capitalizing on the new trend of stealing data and further '
'extorting the victim to pay for their data to not get '
'publicly leaked.(Citation: Secureworks REvil September '
'2019)(Citation: Secureworks GandCrab and REvil September '
'2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: '
'CrowdStrike Evolution of Pinchy Spider July 2021)',
'external_references': [{'external_id': 'G0115',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G0115'},
{'description': '(Citation: CrowdStrike Evolution of '
'Pinchy Spider July 2021)',
'source_name': 'Pinchy Spider'},
{'description': 'Counter Threat Unit Research Team. '
'(2019, September 24). '
'REvil/Sodinokibi Ransomware. '
'Retrieved August 4, 2020.',
'source_name': 'Secureworks REvil September 2019',
'url': 'https://www.secureworks.com/research/revil-sodinokibi-ransomware'},
{'description': 'Meyers, Adam. (2021, July 6). The '
'Evolution of PINCHY SPIDER from '
'GandCrab to REvil. Retrieved March '
'28, 2023.',
'source_name': 'CrowdStrike Evolution of Pinchy '
'Spider July 2021',
'url': 'https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/'},
{'description': 'Secureworks . (2019, September 24). '
'REvil: The GandCrab Connection. '
'Retrieved August 4, 2020.',
'source_name': 'Secureworks GandCrab and REvil '
'September 2019',
'url': 'https://www.secureworks.com/blog/revil-the-gandcrab-connection'},
{'description': 'Secureworks. (n.d.). GOLD '
'SOUTHFIELD. Retrieved October 6, '
'2020.',
'source_name': 'Secureworks GOLD SOUTHFIELD',
'url': 'https://www.secureworks.com/research/threat-profiles/gold-southfield'}],
'id': 'intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133',
'modified': '2025-04-16T20:37:38.397Z',
'name': 'GOLD SOUTHFIELD',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Thijn Bukkems, Amazon'],
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack', 'ics-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '2.0'}