SYMBOLCOMMON_NAMEaka. SYNONYMS

GOLD DUPONT  (Back to overview)

aka: SPRITE SPIDER

GOLD DUPONT is a financially motivated cybercriminal threat group that specializes in post-intrusion ransomware attacks using 777 (aka Defray777 or RansomExx) malware. Active since November 2018, GOLD DUPONT establishes initial access into victim networks using stolen credentials to remote access services like virtual desktop infrastructure (VDI) or virtual private networks (VPN). From October 2019 to early 2020 the group used GOLD BLACKBURN's TrickBot malware as an initial access vector (IAV) during some intrusions. Since July 2020, the group has also used GOLD SWATHMORE's IcedID (Bokbot) malware as an IAV in some intrusions.


Associated Families
elf.ransomexx win.ransomexx

References
2021-08-05KrebsOnSecurityBrian Krebs
@online{krebs:20210805:ransomware:0962b82, author = {Brian Krebs}, title = {{Ransomware Gangs and the Name Game Distraction}}, date = {2021-08-05}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/}, language = {English}, urldate = {2021-08-06} } Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Ransomware Maze RansomEXX REvil Ryuk Sekhmet
2021-08-03Bleeping ComputerLawrence Abrams
@online{abrams:20210803:ransomware:d1b938f, author = {Lawrence Abrams}, title = {{Ransomware attack hits Italy's Lazio region, affects COVID-19 site}}, date = {2021-08-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/}, language = {English}, urldate = {2021-08-06} } Ransomware attack hits Italy's Lazio region, affects COVID-19 site
LockBit RansomEXX
2021-07-17BleepingComputerLawrence Abrams
@online{abrams:20210717:ecuadors:3940c8e, author = {Lawrence Abrams}, title = {{Ecuador's state-run CNT telco hit by RansomEXX ransomware}}, date = {2021-07-17}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/}, language = {English}, urldate = {2021-07-26} } Ecuador's state-run CNT telco hit by RansomEXX ransomware
RansomEXX RansomEXX
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
@online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-03-17Palo Alto Networks Unit 42Unit42
@techreport{unit42:20210317:ransomware:504cc32, author = {Unit42}, title = {{Ransomware Threat Report 2021}}, date = {2021-03-17}, institution = {Palo Alto Networks Unit 42}, url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf}, language = {English}, urldate = {2021-03-19} } Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
2021-03-09Youtube (SANS Digital Forensics and Incident Response)Eric Loui, Sergei Frankoff
@online{loui:20210309:jackpotting:1dcc95b, author = {Eric Loui and Sergei Frankoff}, title = {{Jackpotting ESXi Servers For Maximum Encryption | Eric Loui & Sergei Frankoff | SANS CTI Summit 2021}}, date = {2021-03-09}, organization = {Youtube (SANS Digital Forensics and Incident Response)}, url = {https://www.youtube.com/watch?v=qxPXxWMI2i4}, language = {English}, urldate = {2021-05-31} } Jackpotting ESXi Servers For Maximum Encryption | Eric Loui & Sergei Frankoff | SANS CTI Summit 2021
DarkSide RansomEXX DarkSide RansomEXX GOLD DUPONT
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{Ransomware Uncovered 2020/2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-06-16} } Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
@online{loui:20210226:hypervisor:8dadf9c, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021-02-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout}, language = {English}, urldate = {2021-05-26} } Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-26CybereasonDaniel Frank
@online{frank:20210126:cybereason:8b4d681, author = {Daniel Frank}, title = {{Cybereason vs. RansomEXX Ransomware}}, date = {2021-01-26}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware}, language = {English}, urldate = {2021-01-27} } Cybereason vs. RansomEXX Ransomware
RansomEXX RansomEXX
2021-01-06Trend MicroLeandro Froes
@online{froes:20210106:expanding:c61590d, author = {Leandro Froes}, title = {{Expanding Range and Improving Speed: A RansomExx Approach}}, date = {2021-01-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html}, language = {English}, urldate = {2021-01-11} } Expanding Range and Improving Speed: A RansomExx Approach
RansomEXX
2021CrowdStrikeEric Loui, Sergei Frankoff
@online{loui:2021:hypervisor:ade976a, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/}, language = {English}, urldate = {2021-05-31} } Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX DarkSide RansomEXX GOLD DUPONT
2020-12-21IntezerIntezer
@online{intezer:20201221:top:9529707, author = {Intezer}, title = {{Top Linux Cloud Threats of 2020}}, date = {2020-12-21}, organization = {Intezer}, url = {https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/}, language = {English}, urldate = {2020-12-26} } Top Linux Cloud Threats of 2020
AgeLocker Anchor_DNS Blackrota Cloud Snooper Dacls Doki FritzFrog IPStorm Kaiji Kinsing NOTROBIN Penquin Turla PLEAD Prometei RansomEXX Stantinko TeamTNT TSCookie WellMail elf.wellmess TeamTNT
2020-12-09CiscoDavid Liebenberg, Caitlin Huey
@online{liebenberg:20201209:quarterly:9ed3062, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends from Fall 2020}}, date = {2020-12-09}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html}, language = {English}, urldate = {2020-12-10} } Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk
2020-11-15Medium GustavoPalazoloGustavo Palazolo
@online{palazolo:20201115:ransomexx:86689d1, author = {Gustavo Palazolo}, title = {{RansomEXX — Análise do Ransomware Utilizado no Ataque ao STJ}}, date = {2020-11-15}, organization = {Medium GustavoPalazolo}, url = {https://gustavopalazolo.medium.com/ransomexx-an%C3%A1lise-do-ransomware-utilizado-no-ataque-ao-stj-918001ec8195}, language = {Portuguese}, urldate = {2020-12-10} } RansomEXX — Análise do Ransomware Utilizado no Ataque ao STJ
RansomEXX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:when:8e743b9, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/}, language = {English}, urldate = {2020-11-12} } When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777
PyXie RansomEXX
2020-11-06Kaspersky LabsFedor Sinitsyn, Vladimir Kuskov
@online{sinitsyn:20201106:ransomexx:3ca495c, author = {Fedor Sinitsyn and Vladimir Kuskov}, title = {{RansomEXX Trojan attacks Linux systems}}, date = {2020-11-06}, organization = {Kaspersky Labs}, url = {https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/}, language = {English}, urldate = {2020-11-09} } RansomEXX Trojan attacks Linux systems
RansomEXX RansomEXX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:indicators:1ec9384, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/}, language = {English}, urldate = {2020-11-12} } Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777
Cobalt Strike PyXie RansomEXX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:last:11cf9f2, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Last, but Not Least: Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3}, language = {English}, urldate = {2020-11-12} } Last, but Not Least: Defray777
PyXie RansomEXX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:linking:152fbf2, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Linking Vatet, PyXie and Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4}, language = {English}, urldate = {2020-11-12} } Linking Vatet, PyXie and Defray777
PyXie RansomEXX
2020-11-05Bleeping ComputerSergiu Gatlan
@online{gatlan:20201105:brazils:f1f0810, author = {Sergiu Gatlan}, title = {{Brazil's court system under massive RansomExx ransomware attack}}, date = {2020-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/}, language = {English}, urldate = {2020-11-09} } Brazil's court system under massive RansomExx ransomware attack
RansomEXX
2020-06-26BleepingComputerLawrence Abrams
@online{abrams:20200626:new:d6e2d17, author = {Lawrence Abrams}, title = {{New Ransom X Ransomware used in Texas TxDOT cyberattack}}, date = {2020-06-26}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/}, language = {English}, urldate = {2020-07-11} } New Ransom X Ransomware used in Texas TxDOT cyberattack
RansomEXX
2020-06-26Github (Bleeping)Lawrence Abrams
@online{abrams:20200626:ransom:9e453cd, author = {Lawrence Abrams}, title = {{Ransom .exx notes}}, date = {2020-06-26}, organization = {Github (Bleeping)}, url = {https://github.com/Bleeping/Ransom.exx}, language = {English}, urldate = {2020-07-11} } Ransom .exx notes
RansomEXX
2020-06-17Andrew Ivanov
@online{ivanov:20200617:ransomexx:ab0e087, author = {Andrew Ivanov}, title = {{RansomEXX Ransomware}}, date = {2020-06-17}, url = {https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html}, language = {Russian}, urldate = {2020-07-08} } RansomEXX Ransomware
RansomEXX
2020-03CTIR GOVCTIR GOV BR
@techreport{br:202003:nova:38220a4, author = {CTIR GOV BR}, title = {{Nova campanha de ataques de Ransomware}}, date = {2020-03}, institution = {CTIR GOV}, url = {https://www.ctir.gov.br/arquivos/alertas/2020/alerta_2020_03_ataques_de_ransomware.pdf}, language = {English}, urldate = {2021-01-29} } Nova campanha de ataques de Ransomware
RansomEXX
2020SecureworksSecureWorks
@online{secureworks:2020:gold:8050e44, author = {SecureWorks}, title = {{GOLD DUPONT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-dupont}, language = {English}, urldate = {2020-05-23} } GOLD DUPONT
Cobalt Strike Defray PyXie GOLD DUPONT

Credits: MISP Project