Dashboard / Threat Actors / PINCHY SPIDER

🇷🇺

PINCHY SPIDER

APT Group Financial gain Financial crime ETDA ✓

Also Known As

No alias recorded

Target Countries 1

Countries highlighted in red

United States

Sectors Targeted

National Security and International Affairs 928110 Internet Publishing and Broadcasting and Web Search Portals 51913 Performing Arts Companies 7111

Details

Origin 🇷🇺 RU

Last Updated 01 Jun 2022

Malware Families 1

SODINOKIBI

MITRE ATT&CK 100

T1005 T1008 T1021 T1021.001 T1021.004 T1021.005 T1027 - Obfuscated Files or Information T1027.010 T1027.016 T1033 T1036 T1036.004 T1036.005 T1047 T1053 T1053.005 T1055 - Process Injection T1057 T1059 T1059.001 - PowerShell T1059.003 T1059.005 T1059.007 T1069 T1069.002 T1071 T1071.001 - Web Protocols T1071.004 T1078 T1078.003 T1082 T1087 T1087.001 T1087.002 T1091 T1102 T1102.002 T1105 - Ingress Tool Transfer T1110.001 T1113 T1124 T1125 T1133 T1140 T1190 T1195 T1195.002 T1199 T1204 T1204.001 T1204.002 T1210 T1218 T1218.005 T1218.011 T1219 T1486 T1497 T1497.002 T1543 T1543.003 T1546 T1546.011 T1547 T1547.001 T1553 T1553.002 T1558 T1558.003 T1559 T1559.002 T1562 T1562.004 T1564 T1564.001 T1564.003 T1566 T1566.001 T1566.002 T1567 T1567.002 T1569 T1569.002 T1571 T1572 T1583 T1583.001 T1583.006 T1587 T1587.001 T1588 T1588.002 T1591 T1591.004 T1608 T1608.001 T1608.004 T1608.005 T1620 T1674

Related Zero-Days

No zero-day CVE linked to this actor

Known Names 4 entries

Pinchy Spider CrowdStrike

Gold Southfield SecureWorks

Gold Garden SecureWorks

G0115 MITRE

Observed Target Countries 1

Based on ETDA data — countries highlighted in red

Worldwide

Description

(CrowdStrike) CrowdStrike Intelligence has recently observed Pinchy Spider affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams. This change in tactics makes Pinchy Spider and its affiliates the latest eCrime adversaries to join the growing trend of targeted, low-volume/high-return ransomware deployments known as “big game hunting.” Pinchy Spider is the criminal group behind the development of the ransomware most commonly known as GandCrab, which has been active since January 2018. Pinchy Spider sells access to use GandCrab ransomware under a partnership program with a limited number of accounts. The program is operated with a 60-40 split in profits (60 percent to the customer), as is common among eCrime actors, but Pinchy Spider is also willing to negotiate up to a 70-30 split for “sophisticated” customers. GandCrab and Sodinokibi have been observed to be distributed by DanaBot (operated by {{Scully Spider, TA547}}) and Taurus Loader (operated by {{Venom Spider, Golden Chickens}}).

Tools Used 5

certutil Cobalt Strike GandCrab Sodinokibi VIDAR

Operations 57

2019-04 Sodinokibi ransomware exploits WebLogic Server vulnerability https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html

2019-06 Yesterday night, a source in the malware community has told ZDNet that the GandCrab RaaS operator formally announced plans to shut down their service within a month. The announcement was made in an official thread on a well-known hacking forum, where the GandCrab RaaS has advertised its service since January 2018, when it formally launched. https://www.zdnet.com/article/gandcrab-ransomware-operation-says-its-shutting-down/

2019-08 Over 20 Texas local governments hit in 'coordinated ransomware attack' https://www.zdnet.com/article/at-least-20-texas-local-governments-hit-in-coordinated-ransomware-attack/

2019-12 CyrusOne, one of the biggest data center providers in the US, has suffered a ransomware attack, ZDNet has learned. https://www.zdnet.com/article/ransomware-attack-hits-major-us-data-center-provider/

2019-12 Sodinokibi Ransomware Behind Travelex Fiasco: Report https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/

2019-12 A crypto virus that attacked the Albany County Airport Authority's computer management provider during the Christmas holiday period ended up infecting the authority's servers as well, encrypting files and demanding a ransom payment. https://www.timesunion.com/business/article/Ransomware-attack-cripples-airport-authority-s-14963401.php

2020-01 New Jersey Synagogue Suffers Sodinokibi Ransomware Attack https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/

2020-01 Sodinokibi Ransomware Publishes Stolen Data for the First Time They claim this data belongs to Artech Information Systems, who describe themselves as a 'minority- and women-owned diversity supplier and one of the largest IT staffing companies in the U.S', and that they will release more if a ransom is not paid. https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/

2020-02 The operators of the Sodinokibi Ransomware (REvil) have started urging affiliates to copy their victim's data before encrypting computers so it can be used as leverage on a new data leak site that is being launched soon. https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/

2020-02 The operators behind Sodinokibi Ransomware published download links to files containing what they claim is financial and work documents, as well as customers' personal data stolen from giant U.S. fashion house Kenneth Cole Productions. https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-posts-alleged-data-of-kenneth-cole-fashion-giant/

2020-03 The operators of the Sodinokibi Ransomware are threatening to publicly share a company's 'dirty' financial secrets because they refused to pay the demanded ransom. As organizations decide to restore their data manually or via backups instead of paying ransoms, ransomware operators are escalating their attacks. https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/

2020-03 Recently, the Sodinokibi Ransomware operators published over 12 GB of stolen data allegedly belonging to a company named Brooks International for not paying the ransom. https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-data-leaks-now-sold-on-hacker-forums/

2020-04 Sodinokibi Ransomware to stop taking Bitcoin to hide money trail https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/

2020-04 SeaChange video platform allegedly hit by Sodinokibi ransomware https://www.bleepingcomputer.com/news/security/seachange-video-platform-allegedly-hit-by-sodinokibi-ransomware/

2020-05 REvil ransomware threatens to leak A-list celebrities' legal docs https://www.bleepingcomputer.com/news/security/revil-ransomware-threatens-to-leak-a-list-celebrities-legal-docs/

2020-05 REvil ransomware gang publishes 'Elexon staff's passports' after UK electrical middleman shrugs off attack https://www.theregister.com/2020/06/01/elexon_ransomware_was_revil_sodinokibi/

2020-05 Here come REvil ransomware operators with another massive data leak. In this instance, they leaked the confidential data of Agromart Group, well-known crop production partners. https://cybleinc.com/2020/06/02/times-up-for-agromart-group-and-their-data-got-leaked-by-revil-ransomware-operators/

2020-06 REvil ransomware creates eBay-like auction site for stolen data https://www.bleepingcomputer.com/news/security/revil-ransomware-creates-ebay-like-auction-site-for-stolen-data/

2020-06 REvil ransomware operators have been observed while scanning one of their victim's network for Point of Sale (PoS) servers by researchers with Symantec's Threat Intelligence team. https://www.bleepingcomputer.com/news/security/revil-ransomware-scans-victims-network-for-point-of-sale-systems/

2020-06 The threat actor behind the Sodinokibi (REvil) ransomware is demanding a $14 million ransom from Brazilian-based electrical energy company Light S.A. https://www.securityweek.com/ransomware-operators-demand-14-million-power-company

2020-07 A ransomware gang has infected the internal network of Telecom Argentina, one of the country's largest internet service providers, and is now asking for a $7.5 million ransom demand to unlock encrypted files. https://www.zdnet.com/article/ransomware-gang-demands-7-5-million-from-argentinian-isp/

2020-07 Administrador de Infraestructuras Ferroviarias (ADIF), a Spanish state-owned railway infrastructure manager was hit by REVil ransomware operators. https://securityaffairs.co/wordpress/106304/cyber-crime/adif-revil-ransomware-attack.html

2020-08 Brown-Forman, one of the largest U.S. companies in the spirits and wine business, suffered a cyber attack. The intruders allegedly copied 1TB of confidential data. https://www.bleepingcomputer.com/news/security/us-spirits-and-wine-giant-hit-by-cyberattack-1tb-of-data-stolen/

2020-09 REvil ransomware deposits $1 million in hacker recruitment drive https://www.bleepingcomputer.com/news/security/revil-ransomware-deposits-1-million-in-hacker-recruitment-drive/

2020-10 REvil ransomware gang claims over $100 million profit in a year https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/

2020-10 Today, the threat actors added GPI (Gaming Partners International) to their dedicated leak site. GPI describes itself as a leading provider of casino currency and table game equipment worldwide. https://www.databreaches.net/revil-ransomware-threat-actors-reveal-their-gaming-company-victim/

2020-11 Flagship Group revealed last night that its systems were compromised by a 'cyberattack' on Sunday, 1 November. https://www.theregister.com/2020/11/06/revil_sodinokibi_ransomware_gang_flagship_group_housing/

2020-11 REvil ransomware gang 'acquires' KPOT malware https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/

2020-11 Managed web hosting provider Managed.com has taken their servers and web hosting systems offline as they struggle to recover from a weekend REvil ransomware attack. https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/

2021-01 Pan-Asian retail giant Dairy Farm suffers REvil ransomware attack https://www.bleepingcomputer.com/news/security/pan-asian-retail-giant-dairy-farm-suffers-revil-ransomware-attack/

2021-03 Ransomware gang plans to call victim's business partners about attacks https://www.bleepingcomputer.com/news/security/ransomware-gang-plans-to-call-victims-business-partners-about-attacks/

2021-03 Computer giant Acer hit by $50 million ransomware attack https://www.bleepingcomputer.com/news/security/computer-giant-acer-hit-by-50-million-ransomware-attack/

2021-03 REvil ransomware has a new ‘Windows Safe Mode’ encryption mode https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/

2021-03 REvil ransomware can now reboot infected devices https://www.bankinfosecurity.com/revil-ransomware-now-reboot-infected-devices-a-16259

2021-04 Asteelflash electronics maker hit by REvil ransomware attack https://www.bleepingcomputer.com/news/security/asteelflash-electronics-maker-hit-by-revil-ransomware-attack/

2021-04 REvil ransomware now changes password to auto-login in Safe Mode https://www.bleepingcomputer.com/news/security/revil-ransomware-now-changes-password-to-auto-login-in-safe-mode/

2021-04 Leading cosmetics group Pierre Fabre hit with $25 million ransomware attack https://www.bleepingcomputer.com/news/security/leading-cosmetics-group-pierre-fabre-hit-with-25-million-ransomware-attack/

2021-04 REvil gang tries to extort Apple, threatens to sell stolen blueprints https://www.bleepingcomputer.com/news/security/revil-gang-tries-to-extort-apple-threatens-to-sell-stolen-blueprints/

2021-04 Brazil's Rio Grande do Sul court system hit by REvil ransomware https://www.bleepingcomputer.com/news/security/brazils-rio-grande-do-sul-court-system-hit-by-revil-ransomware/

2021-05 FBI: JBS ransomware attack was carried out by REvil https://therecord.media/fbi-jbs-ransomware-attack-was-carried-out-by-revil/

2021-06 Fujifilm confirms ransomware attack disrupted business operations https://www.bleepingcomputer.com/news/security/fujifilm-confirms-ransomware-attack-disrupted-business-operations/

2021-06 US nuclear weapons contractor Sol Oriens has suffered a cyberattack allegedly at the hands of the REvil ransomware gang, which claims to be auctioning data stolen during the attack. https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-us-nuclear-weapons-contractor/

2021-06 Relentless REvil, revealed: RaaS as variable as the criminals who use it https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/

2021-06 Healthcare giant Grupo Fleury hit by REvil ransomware attack https://www.bleepingcomputer.com/news/security/healthcare-giant-grupo-fleury-hit-by-revil-ransomware-attack/

2021-06 Fashion titan French Connection says 'FCUK' as REvil-linked ransomware makes off with data https://www.theregister.com/2021/06/24/french_connection_says_fcuk_as/

2021-07 Spanish telecom giant MasMovil hit by Revil ransomware gang https://www.hackread.com/revil-ransomware-gang-hits-masmovil-telecom/

2021-07 Kaseya hijacked, thousands attacked by REvil, fix delayed again https://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/

2021-07 REvil ransomware gang's web sites mysteriously shut down https://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/

2021-09 UK VoIP telco receives 'colossal ransom demand', reveals REvil cybercrooks suspected of 'organised' DDoS attacks on UK VoIP companies https://www.theregister.com/2021/09/02/uk_voip_telcos_revil_ransom/

2021-09 REvil ransomware group returns following Kaseya attack https://therecord.media/revil-ransomware-group-returns-following-kaseya-attack/

2021-09 REvil ransomware is back in full attack mode and leaking data https://www.bleepingcomputer.com/news/security/revil-ransomware-is-back-in-full-attack-mode-and-leaking-data/

2021-09 REvil ransomware devs added a backdoor to cheat affiliates https://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/

2021-10 Hong Kong marketing firm Fimmick has been hit with a ransomware attack, according to a British cybersecurity firm monitoring the situation. https://www.zdnet.com/article/hong-kong-firm-becomes-latest-marketing-company-hit-with-revil-ransomware/

2022-01 After Russian Arrests, REvil Implants Persist https://blog.reversinglabs.com/blog/after-russian-arrests-revil-rolls-on

2022-04 REvil's TOR sites come alive to redirect to new ransomware operation https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/

2022-05 REvil ransomware returns: New malware sample confirms gang is back https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/

2022-05 REvil Resurgence? Or a Copycat? https://www.akamai.com/blog/security/revil-resurgence-or-copycat

Reports & References 13

https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/ https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/ https://www.secureworks.com/blog/revil-the-gandcrab-connection https://blog.morphisec.com/threat-profile-gandcrab-ransomware https://www.kpn.com/security-blogs/Tracking-REvil.htm https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack https://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/ https://threatpost.com/revil-spill-details-us-attacks/166669/ https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/ https://unit42.paloaltonetworks.com/revil-threat-actors/ https://www.bankinfosecurity.com/revils-cybercrime-reputation-in-tatters-will-reboot-a-17802 https://therecord.media/how-a-texas-hack-changed-the-ransomware-business-forever/ https://www.darkreading.com/cyberattacks-data-breaches/revil-actor-russia-planning-2021-kaseya-attack

ETDA Profile

Pinchy Spider, Gold Southfield

Origin

Russia

First Seen 2018

Motivation

Financial gain

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0115/

View on ETDA APT Groups ↗