Date: 09/19/2025
Severity: High
Summary
As of mid-September 2025, GOLD SALEM has named 60 victims, placing it mid-tier among active ransomware groups. Its targets range from small entities to major multinational firms across North America, Europe, and South America. Consistent with typical ransomware behavior, the group has mostly avoided victims in China and Russia. However, on September 8, it listed a Russian engineering firm serving the power industry on its leak site. This move suggests GOLD SALEM may be operating outside Russian jurisdiction, given the country's strict stance on domestic attacks.
Indicators of Compromise (IOC) List
Hash : | bfbeac96a385b1e5643ec0752b132506
de25be0afd53a1d274eec02e5303622fc8e7dbd5
996c7bcec3c12c3462220fc2c19d61ccc039005ef5e7c8fabc0b34631a31abb1
b3a099ecca79503a0e4a154bd85d3e6b
6d0cc6349a951f0b52394ad3436d1656ec5fba6a
a204a48496b54bcb7ae171ad435997b92eb746b5718f166b3515736ee34a65b4
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | md5hash IN ("b3a099ecca79503a0e4a154bd85d3e6b","bfbeac96a385b1e5643ec0752b132506")
|
Detection Query 2 : | sha1hash IN ("6d0cc6349a951f0b52394ad3436d1656ec5fba6a","de25be0afd53a1d274eec02e5303622fc8e7dbd5")
|
Detection Query 3 : | sha256hash IN ("a204a48496b54bcb7ae171ad435997b92eb746b5718f166b3515736ee34a65b4","996c7bcec3c12c3462220fc2c19d61ccc039005ef5e7c8fabc0b34631a31abb1")
|
Reference:
https://news.sophos.com/en-us/2025/09/17/gold-salems-warlock-operation-joins-busy-ransomware-landscape/