Dashboard / Threat Actors / GOLD GARDEN

🇮🇷

GOLD GARDEN

APT Group ETDA ✓

Also Known As

No alias recorded

Target Countries 1

Countries highlighted in red

United States

Sectors Targeted

Computer Systems Design and Related Services 54151

Details

Origin 🇮🇷 IR

Last Updated 01 Jun 2022

MITRE ATT&CK 5

T1059.001 T1070.004 T1071.001 T1090.001 T1105

Related Zero-Days

No zero-day CVE linked to this actor

Known Names 4 entries

Pinchy Spider CrowdStrike

Gold Southfield SecureWorks

Gold Garden SecureWorks

G0115 MITRE

Observed Target Countries 1

Based on ETDA data — countries highlighted in red

Worldwide

Description

(CrowdStrike) CrowdStrike Intelligence has recently observed Pinchy Spider affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams. This change in tactics makes Pinchy Spider and its affiliates the latest eCrime adversaries to join the growing trend of targeted, low-volume/high-return ransomware deployments known as “big game hunting.” Pinchy Spider is the criminal group behind the development of the ransomware most commonly known as GandCrab, which has been active since January 2018. Pinchy Spider sells access to use GandCrab ransomware under a partnership program with a limited number of accounts. The program is operated with a 60-40 split in profits (60 percent to the customer), as is common among eCrime actors, but Pinchy Spider is also willing to negotiate up to a 70-30 split for “sophisticated” customers. GandCrab and Sodinokibi have been observed to be distributed by DanaBot (operated by {{Scully Spider, TA547}}) and Taurus Loader (operated by {{Venom Spider, Golden Chickens}}).

Tools Used 5

certutil Cobalt Strike GandCrab Sodinokibi VIDAR

Operations 57

2019-04 Sodinokibi ransomware exploits WebLogic Server vulnerability https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html

2019-06 Yesterday night, a source in the malware community has told ZDNet that the GandCrab RaaS operator formally announced plans to shut down their service within a month. The announcement was made in an official thread on a well-known hacking forum, where the GandCrab RaaS has advertised its service since January 2018, when it formally launched. https://www.zdnet.com/article/gandcrab-ransomware-operation-says-its-shutting-down/

2019-08 Over 20 Texas local governments hit in 'coordinated ransomware attack' https://www.zdnet.com/article/at-least-20-texas-local-governments-hit-in-coordinated-ransomware-attack/

2019-12 CyrusOne, one of the biggest data center providers in the US, has suffered a ransomware attack, ZDNet has learned. https://www.zdnet.com/article/ransomware-attack-hits-major-us-data-center-provider/

2019-12 Sodinokibi Ransomware Behind Travelex Fiasco: Report https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/

2019-12 A crypto virus that attacked the Albany County Airport Authority's computer management provider during the Christmas holiday period ended up infecting the authority's servers as well, encrypting files and demanding a ransom payment. https://www.timesunion.com/business/article/Ransomware-attack-cripples-airport-authority-s-14963401.php

2020-01 New Jersey Synagogue Suffers Sodinokibi Ransomware Attack https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/

2020-01 Sodinokibi Ransomware Publishes Stolen Data for the First Time They claim this data belongs to Artech Information Systems, who describe themselves as a 'minority- and women-owned diversity supplier and one of the largest IT staffing companies in the U.S', and that they will release more if a ransom is not paid. https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/

2020-02 The operators of the Sodinokibi Ransomware (REvil) have started urging affiliates to copy their victim's data before encrypting computers so it can be used as leverage on a new data leak site that is being launched soon. https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/

2020-02 The operators behind Sodinokibi Ransomware published download links to files containing what they claim is financial and work documents, as well as customers' personal data stolen from giant U.S. fashion house Kenneth Cole Productions. https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-posts-alleged-data-of-kenneth-cole-fashion-giant/

2020-03 The operators of the Sodinokibi Ransomware are threatening to publicly share a company's 'dirty' financial secrets because they refused to pay the demanded ransom. As organizations decide to restore their data manually or via backups instead of paying ransoms, ransomware operators are escalating their attacks. https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/

2020-03 Recently, the Sodinokibi Ransomware operators published over 12 GB of stolen data allegedly belonging to a company named Brooks International for not paying the ransom. https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-data-leaks-now-sold-on-hacker-forums/

2020-04 Sodinokibi Ransomware to stop taking Bitcoin to hide money trail https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/

2020-04 SeaChange video platform allegedly hit by Sodinokibi ransomware https://www.bleepingcomputer.com/news/security/seachange-video-platform-allegedly-hit-by-sodinokibi-ransomware/

2020-05 REvil ransomware threatens to leak A-list celebrities' legal docs https://www.bleepingcomputer.com/news/security/revil-ransomware-threatens-to-leak-a-list-celebrities-legal-docs/

2020-05 REvil ransomware gang publishes 'Elexon staff's passports' after UK electrical middleman shrugs off attack https://www.theregister.com/2020/06/01/elexon_ransomware_was_revil_sodinokibi/

2020-05 Here come REvil ransomware operators with another massive data leak. In this instance, they leaked the confidential data of Agromart Group, well-known crop production partners. https://cybleinc.com/2020/06/02/times-up-for-agromart-group-and-their-data-got-leaked-by-revil-ransomware-operators/

2020-06 REvil ransomware creates eBay-like auction site for stolen data https://www.bleepingcomputer.com/news/security/revil-ransomware-creates-ebay-like-auction-site-for-stolen-data/

2020-06 REvil ransomware operators have been observed while scanning one of their victim's network for Point of Sale (PoS) servers by researchers with Symantec's Threat Intelligence team. https://www.bleepingcomputer.com/news/security/revil-ransomware-scans-victims-network-for-point-of-sale-systems/

2020-06 The threat actor behind the Sodinokibi (REvil) ransomware is demanding a $14 million ransom from Brazilian-based electrical energy company Light S.A. https://www.securityweek.com/ransomware-operators-demand-14-million-power-company

2020-07 A ransomware gang has infected the internal network of Telecom Argentina, one of the country's largest internet service providers, and is now asking for a $7.5 million ransom demand to unlock encrypted files. https://www.zdnet.com/article/ransomware-gang-demands-7-5-million-from-argentinian-isp/

2020-07 Administrador de Infraestructuras Ferroviarias (ADIF), a Spanish state-owned railway infrastructure manager was hit by REVil ransomware operators. https://securityaffairs.co/wordpress/106304/cyber-crime/adif-revil-ransomware-attack.html

2020-08 Brown-Forman, one of the largest U.S. companies in the spirits and wine business, suffered a cyber attack. The intruders allegedly copied 1TB of confidential data. https://www.bleepingcomputer.com/news/security/us-spirits-and-wine-giant-hit-by-cyberattack-1tb-of-data-stolen/

2020-09 REvil ransomware deposits $1 million in hacker recruitment drive https://www.bleepingcomputer.com/news/security/revil-ransomware-deposits-1-million-in-hacker-recruitment-drive/

2020-10 REvil ransomware gang claims over $100 million profit in a year https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/

2020-10 Today, the threat actors added GPI (Gaming Partners International) to their dedicated leak site. GPI describes itself as a leading provider of casino currency and table game equipment worldwide. https://www.databreaches.net/revil-ransomware-threat-actors-reveal-their-gaming-company-victim/

2020-11 Flagship Group revealed last night that its systems were compromised by a 'cyberattack' on Sunday, 1 November. https://www.theregister.com/2020/11/06/revil_sodinokibi_ransomware_gang_flagship_group_housing/

2020-11 REvil ransomware gang 'acquires' KPOT malware https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/

2020-11 Managed web hosting provider Managed.com has taken their servers and web hosting systems offline as they struggle to recover from a weekend REvil ransomware attack. https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/

2021-01 Pan-Asian retail giant Dairy Farm suffers REvil ransomware attack https://www.bleepingcomputer.com/news/security/pan-asian-retail-giant-dairy-farm-suffers-revil-ransomware-attack/

2021-03 Ransomware gang plans to call victim's business partners about attacks https://www.bleepingcomputer.com/news/security/ransomware-gang-plans-to-call-victims-business-partners-about-attacks/

2021-03 Computer giant Acer hit by $50 million ransomware attack https://www.bleepingcomputer.com/news/security/computer-giant-acer-hit-by-50-million-ransomware-attack/

2021-03 REvil ransomware has a new ‘Windows Safe Mode’ encryption mode https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/

2021-03 REvil ransomware can now reboot infected devices https://www.bankinfosecurity.com/revil-ransomware-now-reboot-infected-devices-a-16259

2021-04 Asteelflash electronics maker hit by REvil ransomware attack https://www.bleepingcomputer.com/news/security/asteelflash-electronics-maker-hit-by-revil-ransomware-attack/

2021-04 REvil ransomware now changes password to auto-login in Safe Mode https://www.bleepingcomputer.com/news/security/revil-ransomware-now-changes-password-to-auto-login-in-safe-mode/

2021-04 Leading cosmetics group Pierre Fabre hit with $25 million ransomware attack https://www.bleepingcomputer.com/news/security/leading-cosmetics-group-pierre-fabre-hit-with-25-million-ransomware-attack/

2021-04 REvil gang tries to extort Apple, threatens to sell stolen blueprints https://www.bleepingcomputer.com/news/security/revil-gang-tries-to-extort-apple-threatens-to-sell-stolen-blueprints/

2021-04 Brazil's Rio Grande do Sul court system hit by REvil ransomware https://www.bleepingcomputer.com/news/security/brazils-rio-grande-do-sul-court-system-hit-by-revil-ransomware/

2021-05 FBI: JBS ransomware attack was carried out by REvil https://therecord.media/fbi-jbs-ransomware-attack-was-carried-out-by-revil/

2021-06 Fujifilm confirms ransomware attack disrupted business operations https://www.bleepingcomputer.com/news/security/fujifilm-confirms-ransomware-attack-disrupted-business-operations/

2021-06 US nuclear weapons contractor Sol Oriens has suffered a cyberattack allegedly at the hands of the REvil ransomware gang, which claims to be auctioning data stolen during the attack. https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-us-nuclear-weapons-contractor/

2021-06 Relentless REvil, revealed: RaaS as variable as the criminals who use it https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/

2021-06 Healthcare giant Grupo Fleury hit by REvil ransomware attack https://www.bleepingcomputer.com/news/security/healthcare-giant-grupo-fleury-hit-by-revil-ransomware-attack/

2021-06 Fashion titan French Connection says 'FCUK' as REvil-linked ransomware makes off with data https://www.theregister.com/2021/06/24/french_connection_says_fcuk_as/

2021-07 Spanish telecom giant MasMovil hit by Revil ransomware gang https://www.hackread.com/revil-ransomware-gang-hits-masmovil-telecom/

2021-07 Kaseya hijacked, thousands attacked by REvil, fix delayed again https://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/

2021-07 REvil ransomware gang's web sites mysteriously shut down https://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/

2021-09 UK VoIP telco receives 'colossal ransom demand', reveals REvil cybercrooks suspected of 'organised' DDoS attacks on UK VoIP companies https://www.theregister.com/2021/09/02/uk_voip_telcos_revil_ransom/

2021-09 REvil ransomware group returns following Kaseya attack https://therecord.media/revil-ransomware-group-returns-following-kaseya-attack/

2021-09 REvil ransomware is back in full attack mode and leaking data https://www.bleepingcomputer.com/news/security/revil-ransomware-is-back-in-full-attack-mode-and-leaking-data/

2021-09 REvil ransomware devs added a backdoor to cheat affiliates https://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/

2021-10 Hong Kong marketing firm Fimmick has been hit with a ransomware attack, according to a British cybersecurity firm monitoring the situation. https://www.zdnet.com/article/hong-kong-firm-becomes-latest-marketing-company-hit-with-revil-ransomware/

2022-01 After Russian Arrests, REvil Implants Persist https://blog.reversinglabs.com/blog/after-russian-arrests-revil-rolls-on

2022-04 REvil's TOR sites come alive to redirect to new ransomware operation https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/

2022-05 REvil ransomware returns: New malware sample confirms gang is back https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/

2022-05 REvil Resurgence? Or a Copycat? https://www.akamai.com/blog/security/revil-resurgence-or-copycat

Reports & References 13

https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/ https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/ https://www.secureworks.com/blog/revil-the-gandcrab-connection https://blog.morphisec.com/threat-profile-gandcrab-ransomware https://www.kpn.com/security-blogs/Tracking-REvil.htm https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack https://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/ https://threatpost.com/revil-spill-details-us-attacks/166669/ https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/ https://unit42.paloaltonetworks.com/revil-threat-actors/ https://www.bankinfosecurity.com/revils-cybercrime-reputation-in-tatters-will-reboot-a-17802 https://therecord.media/how-a-texas-hack-changed-the-ransomware-business-forever/ https://www.darkreading.com/cyberattacks-data-breaches/revil-actor-russia-planning-2021-kaseya-attack

ETDA Profile

Pinchy Spider, Gold Southfield

Origin

Russia

First Seen 2018

Motivation

Financial gain

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0115/

View on ETDA APT Groups ↗