ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Pinchy Spider, Gold Southfield

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Pinchy Spider, Gold Southfield

NamesPinchy Spider (CrowdStrike)
Gold Southfield (SecureWorks)
Gold Garden (SecureWorks)
CountryRussia Russia
MotivationFinancial gain
First seen2018
Description(CrowdStrike) CrowdStrike Intelligence has recently observed Pinchy Spider affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams. This change in tactics makes Pinchy Spider and its affiliates the latest eCrime adversaries to join the growing trend of targeted, low-volume/high-return ransomware deployments known as “big game hunting.”

Pinchy Spider is the criminal group behind the development of the ransomware most commonly known as GandCrab, which has been active since January 2018. Pinchy Spider sells access to use GandCrab ransomware under a partnership program with a limited number of accounts. The program is operated with a 60-40 split in profits (60 percent to the customer), as is common among eCrime actors, but Pinchy Spider is also willing to negotiate up to a 70-30 split for “sophisticated” customers.

GandCrab and Sodinokibi have been observed to be distributed by DanaBot (operated by Scully Spider, TA547) and Taurus Loader (operated by Venom Spider, Golden Chickens).
ObservedCountries: Worldwide.
Tools usedcertutil, Cobalt Strike, GandCrab, Sodinokibi, VIDAR.
Operations performedApr 2019Sodinokibi ransomware exploits WebLogic Server vulnerability
<https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html>
Jun 2019Yesterday night, a source in the malware community has told ZDNet that the GandCrab RaaS operator formally announced plans to shut down their service within a month.
The announcement was made in an official thread on a well-known hacking forum, where the GandCrab RaaS has advertised its service since January 2018, when it formally launched.
<https://www.zdnet.com/article/gandcrab-ransomware-operation-says-its-shutting-down/>
Aug 2019Over 20 Texas local governments hit in 'coordinated ransomware attack'
<https://www.zdnet.com/article/at-least-20-texas-local-governments-hit-in-coordinated-ransomware-attack/>
Dec 2019CyrusOne, one of the biggest data center providers in the US, has suffered a ransomware attack, ZDNet has learned.
<https://www.zdnet.com/article/ransomware-attack-hits-major-us-data-center-provider/>
Dec 2019Sodinokibi Ransomware Behind Travelex Fiasco: Report
<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>
Dec 2019A crypto virus that attacked the Albany County Airport Authority's computer management provider during the Christmas holiday period ended up infecting the authority's servers as well, encrypting files and demanding a ransom payment.
<https://www.timesunion.com/business/article/Ransomware-attack-cripples-airport-authority-s-14963401.php>
Jan 2020New Jersey Synagogue Suffers Sodinokibi Ransomware Attack
<https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/>
Jan 2020Sodinokibi Ransomware Publishes Stolen Data for the First Time
They claim this data belongs to Artech Information Systems, who describe themselves as a 'minority- and women-owned diversity supplier and one of the largest IT staffing companies in the U.S', and that they will release more if a ransom is not paid.
<https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/>
Feb 2020The operators of the Sodinokibi Ransomware (REvil) have started urging affiliates to copy their victim's data before encrypting computers so it can be used as leverage on a new data leak site that is being launched soon.
<https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/>
Feb 2020The operators behind Sodinokibi Ransomware published download links to files containing what they claim is financial and work documents, as well as customers' personal data stolen from giant U.S. fashion house Kenneth Cole Productions.
<https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-posts-alleged-data-of-kenneth-cole-fashion-giant/>
Mar 2020The operators of the Sodinokibi Ransomware are threatening to publicly share a company's 'dirty' financial secrets because they refused to pay the demanded ransom.
As organizations decide to restore their data manually or via backups instead of paying ransoms, ransomware operators are escalating their attacks.
<https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/>
Mar 2020Recently, the Sodinokibi Ransomware operators published over 12 GB of stolen data allegedly belonging to a company named Brooks International for not paying the ransom.
<https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-data-leaks-now-sold-on-hacker-forums/>
Apr 2020Sodinokibi Ransomware to stop taking Bitcoin to hide money trail
<https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/>
Apr 2020SeaChange video platform allegedly hit by Sodinokibi ransomware
<https://www.bleepingcomputer.com/news/security/seachange-video-platform-allegedly-hit-by-sodinokibi-ransomware/>
May 2020REvil ransomware threatens to leak A-list celebrities' legal docs
<https://www.bleepingcomputer.com/news/security/revil-ransomware-threatens-to-leak-a-list-celebrities-legal-docs/>
May 2020REvil ransomware gang publishes 'Elexon staff's passports' after UK electrical middleman shrugs off attack
<https://www.theregister.com/2020/06/01/elexon_ransomware_was_revil_sodinokibi/>
May 2020Here come REvil ransomware operators with another massive data leak. In this instance, they leaked the confidential data of Agromart Group, well-known crop production partners.
<https://cybleinc.com/2020/06/02/times-up-for-agromart-group-and-their-data-got-leaked-by-revil-ransomware-operators/>
Jun 2020REvil ransomware creates eBay-like auction site for stolen data
<https://www.bleepingcomputer.com/news/security/revil-ransomware-creates-ebay-like-auction-site-for-stolen-data/>
Jun 2020REvil ransomware operators have been observed while scanning one of their victim's network for Point of Sale (PoS) servers by researchers with Symantec's Threat Intelligence team.
<https://www.bleepingcomputer.com/news/security/revil-ransomware-scans-victims-network-for-point-of-sale-systems/>
Jun 2020The threat actor behind the Sodinokibi (REvil) ransomware is demanding a $14 million ransom from Brazilian-based electrical energy company Light S.A.
<https://www.securityweek.com/ransomware-operators-demand-14-million-power-company>
Jul 2020A ransomware gang has infected the internal network of Telecom Argentina, one of the country's largest internet service providers, and is now asking for a $7.5 million ransom demand to unlock encrypted files.
<https://www.zdnet.com/article/ransomware-gang-demands-7-5-million-from-argentinian-isp/>
Jul 2020Administrador de Infraestructuras Ferroviarias (ADIF), a Spanish state-owned railway infrastructure manager was hit by REVil ransomware operators.
<https://securityaffairs.co/wordpress/106304/cyber-crime/adif-revil-ransomware-attack.html>
Aug 2020Brown-Forman, one of the largest U.S. companies in the spirits and wine business, suffered a cyber attack. The intruders allegedly copied 1TB of confidential data.
<https://www.bleepingcomputer.com/news/security/us-spirits-and-wine-giant-hit-by-cyberattack-1tb-of-data-stolen/>
Sep 2020REvil ransomware deposits $1 million in hacker recruitment drive
<https://www.bleepingcomputer.com/news/security/revil-ransomware-deposits-1-million-in-hacker-recruitment-drive/>
Oct 2020REvil ransomware gang claims over $100 million profit in a year
<https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/>
Oct 2020Today, the threat actors added GPI (Gaming Partners International) to their dedicated leak site. GPI describes itself as a leading provider of casino currency and table game equipment worldwide.
<https://www.databreaches.net/revil-ransomware-threat-actors-reveal-their-gaming-company-victim/>
Nov 2020Flagship Group revealed last night that its systems were compromised by a 'cyberattack' on Sunday, 1 November.
<https://www.theregister.com/2020/11/06/revil_sodinokibi_ransomware_gang_flagship_group_housing/>
Nov 2020REvil ransomware gang 'acquires' KPOT malware
<https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/>
Nov 2020Managed web hosting provider Managed.com has taken their servers and web hosting systems offline as they struggle to recover from a weekend REvil ransomware attack.
<https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/>
Jan 2021Pan-Asian retail giant Dairy Farm suffers REvil ransomware attack
<https://www.bleepingcomputer.com/news/security/pan-asian-retail-giant-dairy-farm-suffers-revil-ransomware-attack/>
Mar 2021Ransomware gang plans to call victim's business partners about attacks
<https://www.bleepingcomputer.com/news/security/ransomware-gang-plans-to-call-victims-business-partners-about-attacks/>
Mar 2021Computer giant Acer hit by $50 million ransomware attack
<https://www.bleepingcomputer.com/news/security/computer-giant-acer-hit-by-50-million-ransomware-attack/>
Mar 2021REvil ransomware has a new ‘Windows Safe Mode’ encryption mode
<https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/>
Mar 2021REvil ransomware can now reboot infected devices
<https://www.bankinfosecurity.com/revil-ransomware-now-reboot-infected-devices-a-16259>
Apr 2021Asteelflash electronics maker hit by REvil ransomware attack
<https://www.bleepingcomputer.com/news/security/asteelflash-electronics-maker-hit-by-revil-ransomware-attack/>
Apr 2021REvil ransomware now changes password to auto-login in Safe Mode
<https://www.bleepingcomputer.com/news/security/revil-ransomware-now-changes-password-to-auto-login-in-safe-mode/>
Apr 2021Leading cosmetics group Pierre Fabre hit with $25 million ransomware attack
<https://www.bleepingcomputer.com/news/security/leading-cosmetics-group-pierre-fabre-hit-with-25-million-ransomware-attack/>
Apr 2021REvil gang tries to extort Apple, threatens to sell stolen blueprints
<https://www.bleepingcomputer.com/news/security/revil-gang-tries-to-extort-apple-threatens-to-sell-stolen-blueprints/>
Apr 2021Brazil's Rio Grande do Sul court system hit by REvil ransomware
<https://www.bleepingcomputer.com/news/security/brazils-rio-grande-do-sul-court-system-hit-by-revil-ransomware/>
May 2021FBI: JBS ransomware attack was carried out by REvil
<https://therecord.media/fbi-jbs-ransomware-attack-was-carried-out-by-revil/>
Jun 2021Fujifilm confirms ransomware attack disrupted business operations
<https://www.bleepingcomputer.com/news/security/fujifilm-confirms-ransomware-attack-disrupted-business-operations/>
Jun 2021US nuclear weapons contractor Sol Oriens has suffered a cyberattack allegedly at the hands of the REvil ransomware gang, which claims to be auctioning data stolen during the attack.
<https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-us-nuclear-weapons-contractor/>
Jun 2021Relentless REvil, revealed: RaaS as variable as the criminals who use it
<https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/>
Jun 2021Healthcare giant Grupo Fleury hit by REvil ransomware attack
<https://www.bleepingcomputer.com/news/security/healthcare-giant-grupo-fleury-hit-by-revil-ransomware-attack/>
Jun 2021Fashion titan French Connection says 'FCUK' as REvil-linked ransomware makes off with data
<https://www.theregister.com/2021/06/24/french_connection_says_fcuk_as/>
Jul 2021Spanish telecom giant MasMovil hit by Revil ransomware gang
<https://www.hackread.com/revil-ransomware-gang-hits-masmovil-telecom/>
Jul 2021Kaseya hijacked, thousands attacked by REvil, fix delayed again
<https://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/>
Jul 2021REvil ransomware gang's web sites mysteriously shut down
<https://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/>
Sep 2021UK VoIP telco receives 'colossal ransom demand', reveals REvil cybercrooks suspected of 'organised' DDoS attacks on UK VoIP companies
<https://www.theregister.com/2021/09/02/uk_voip_telcos_revil_ransom/>
Sep 2021REvil ransomware group returns following Kaseya attack
<https://therecord.media/revil-ransomware-group-returns-following-kaseya-attack/>
Sep 2021REvil ransomware is back in full attack mode and leaking data
<https://www.bleepingcomputer.com/news/security/revil-ransomware-is-back-in-full-attack-mode-and-leaking-data/>
Sep 2021REvil ransomware devs added a backdoor to cheat affiliates
<https://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/>
Oct 2021Hong Kong marketing firm Fimmick has been hit with a ransomware attack, according to a British cybersecurity firm monitoring the situation.
<https://www.zdnet.com/article/hong-kong-firm-becomes-latest-marketing-company-hit-with-revil-ransomware/>
Jan 2022After Russian Arrests, REvil Implants Persist
<https://blog.reversinglabs.com/blog/after-russian-arrests-revil-rolls-on>
Apr 2022REvil's TOR sites come alive to redirect to new ransomware operation
<https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/>
May 2022REvil ransomware returns: New malware sample confirms gang is back
<https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/>
May 2022REvil Resurgence? Or a Copycat?
<https://www.akamai.com/blog/security/revil-resurgence-or-copycat>
Counter operationsJul 2020GandCrab ransomware operator arrested in Belarus
<https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/>
Mar 2021GandCrab ransomware distributor arrested in South Korea
<https://therecord.media/gandcrab-ransomware-distributor-arrested-in-south-korea/>
Sep 2021REvil Affiliates Confirm: Leadership Were Cheating Dirtbags
<https://threatpost.com/revil-affiliates-leadership-cheated-ransom-payments/174972/>
Oct 2021REvil ransomware shuts down again after Tor sites were hijacked
<https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/>
<https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/>
Oct 2021Two ransomware operators arrested in Ukraine
<https://therecord.media/two-ransomware-operators-arrested-in-ukraine/>
Oct 2021German investigators identify REvil ransomware gang core member
<https://www.bleepingcomputer.com/news/security/german-investigators-identify-revil-ransomware-gang-core-member/>
Nov 2021REvil ransomware affiliates arrested in Romania and Kuwait
<https://www.bleepingcomputer.com/news/security/revil-ransomware-affiliates-arrested-in-romania-and-kuwait/>
Nov 2021US seizes $6 million from REvil ransomware, arrest Kaseya hacker
<https://www.bleepingcomputer.com/news/security/us-seizes-6-million-from-revil-ransomware-arrest-kaseya-hacker/>
Nov 2021Five affiliates to Sodinokibi/REvil unplugged
<https://www.europol.europa.eu/media-press/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged>
Nov 2021U.S. offers $10 million reward for leaders of REvil ransomware
<https://www.bleepingcomputer.com/news/security/us-offers-10-million-reward-for-leaders-of-revil-ransomware/>
Nov 2021FBI seized $2.3M from affiliate of REvil, Gandcrab ransomware gangs
<https://www.bleepingcomputer.com/news/security/fbi-seized-23m-from-affiliate-of-revil-gandcrab-ransomware-gangs/>
Jan 2022Russia arrests REvil ransomware gang members, seize $6.6 million
<https://www.bleepingcomputer.com/news/security/russia-arrests-revil-ransomware-gang-members-seize-66-million/>
Information<https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/>
<https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/>
<https://www.secureworks.com/blog/revil-the-gandcrab-connection>
<https://blog.morphisec.com/threat-profile-gandcrab-ransomware>
<https://www.kpn.com/security-blogs/Tracking-REvil.htm>
<https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack>
<https://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/>
<https://threatpost.com/revil-spill-details-us-attacks/166669/>
<https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/>
<https://unit42.paloaltonetworks.com/revil-threat-actors/>
<https://www.bankinfosecurity.com/revils-cybercrime-reputation-in-tatters-will-reboot-a-17802>
<https://therecord.media/how-a-texas-hack-changed-the-ransomware-business-forever/>
MITRE ATT&CK<https://attack.mitre.org/groups/G0115/>

Last change to this card: 30 December 2022

Download this actor card in PDF or JSON format

Previous: Patchwork, Dropping Elephant
Next: PittyTiger, Pitty Panda

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]