Other threat group: Pinchy Spider, Gold Southfield| Names | Pinchy Spider (CrowdStrike) Gold Southfield (SecureWorks) Gold Garden (SecureWorks) | |
| Country |  Russia | |
| Motivation | Financial gain | |
| First seen | 2018 | |
| Description | (CrowdStrike) CrowdStrike Intelligence has recently observed Pinchy Spider affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams. This change in tactics makes Pinchy Spider and its affiliates the latest eCrime adversaries to join the growing trend of targeted, low-volume/high-return ransomware deployments known as “big game hunting.” Pinchy Spider is the criminal group behind the development of the ransomware most commonly known as GandCrab, which has been active since January 2018. Pinchy Spider sells access to use GandCrab ransomware under a partnership program with a limited number of accounts. The program is operated with a 60-40 split in profits (60 percent to the customer), as is common among eCrime actors, but Pinchy Spider is also willing to negotiate up to a 70-30 split for “sophisticated” customers. GandCrab and Sodinokibi have been observed to be distributed by DanaBot (operated by Scully Spider, TA547) and Taurus Loader (operated by Venom Spider, Golden Chickens). | |
| Observed | Countries: Worldwide. | |
| Tools used | certutil, Cobalt Strike, GandCrab, Sodinokibi. | |
| Operations performed | Apr 2019 | Sodinokibi ransomware exploits WebLogic Server vulnerability <https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html> |
| Jun 2019 | Yesterday night, a source in the malware community has told ZDNet that the GandCrab RaaS operator formally announced plans to shut down their service within a month. The announcement was made in an official thread on a well-known hacking forum, where the GandCrab RaaS has advertised its service since January 2018, when it formally launched. <https://www.zdnet.com/article/gandcrab-ransomware-operation-says-its-shutting-down/> | |
| Aug 2019 | Over 20 Texas local governments hit in 'coordinated ransomware attack' <https://www.zdnet.com/article/at-least-20-texas-local-governments-hit-in-coordinated-ransomware-attack/> | |
| Dec 2019 | CyrusOne, one of the biggest data center providers in the US, has suffered a ransomware attack, ZDNet has learned. <https://www.zdnet.com/article/ransomware-attack-hits-major-us-data-center-provider/> | |
| Dec 2019 | Sodinokibi Ransomware Behind Travelex Fiasco: Report <https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/> | |
| Dec 2019 | A crypto virus that attacked the Albany County Airport Authority's computer management provider during the Christmas holiday period ended up infecting the authority's servers as well, encrypting files and demanding a ransom payment. <https://www.timesunion.com/business/article/Ransomware-attack-cripples-airport-authority-s-14963401.php> | |
| Jan 2020 | New Jersey Synagogue Suffers Sodinokibi Ransomware Attack <https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/> | |
| Jan 2020 | Sodinokibi Ransomware Publishes Stolen Data for the First Time They claim this data belongs to Artech Information Systems, who describe themselves as a 'minority- and women-owned diversity supplier and one of the largest IT staffing companies in the U.S', and that they will release more if a ransom is not paid. <https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/> | |
| Feb 2020 | The operators of the Sodinokibi Ransomware (REvil) have started urging affiliates to copy their victim's data before encrypting computers so it can be used as leverage on a new data leak site that is being launched soon. <https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/> | |
| Feb 2020 | The operators behind Sodinokibi Ransomware published download links to files containing what they claim is financial and work documents, as well as customers' personal data stolen from giant U.S. fashion house Kenneth Cole Productions. <https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-posts-alleged-data-of-kenneth-cole-fashion-giant/> | |
| Mar 2020 | The operators of the Sodinokibi Ransomware are threatening to publicly share a company's 'dirty' financial secrets because they refused to pay the demanded ransom. As organizations decide to restore their data manually or via backups instead of paying ransoms, ransomware operators are escalating their attacks. <https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/> | |
| Mar 2020 | Recently, the Sodinokibi Ransomware operators published over 12 GB of stolen data allegedly belonging to a company named Brooks International for not paying the ransom. <https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-data-leaks-now-sold-on-hacker-forums/> | |
| Apr 2020 | Sodinokibi Ransomware to stop taking Bitcoin to hide money trail <https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/> | |
| Apr 2020 | SeaChange video platform allegedly hit by Sodinokibi ransomware <https://www.bleepingcomputer.com/news/security/seachange-video-platform-allegedly-hit-by-sodinokibi-ransomware/> | |
| May 2020 | REvil ransomware threatens to leak A-list celebrities' legal docs <https://www.bleepingcomputer.com/news/security/revil-ransomware-threatens-to-leak-a-list-celebrities-legal-docs/> | |
| May 2020 | REvil ransomware gang publishes 'Elexon staff's passports' after UK electrical middleman shrugs off attack <https://www.theregister.com/2020/06/01/elexon_ransomware_was_revil_sodinokibi/> | |
| May 2020 | Here come REvil ransomware operators with another massive data leak. In this instance, they leaked the confidential data of Agromart Group, well-known crop production partners. <https://cybleinc.com/2020/06/02/times-up-for-agromart-group-and-their-data-got-leaked-by-revil-ransomware-operators/> | |
| Jun 2020 | REvil ransomware creates eBay-like auction site for stolen data <https://www.bleepingcomputer.com/news/security/revil-ransomware-creates-ebay-like-auction-site-for-stolen-data/> | |
| Jun 2020 | REvil ransomware operators have been observed while scanning one of their victim's network for Point of Sale (PoS) servers by researchers with Symantec's Threat Intelligence team. <https://www.bleepingcomputer.com/news/security/revil-ransomware-scans-victims-network-for-point-of-sale-systems/> | |
| Jun 2020 | The threat actor behind the Sodinokibi (REvil) ransomware is demanding a $14 million ransom from Brazilian-based electrical energy company Light S.A. <https://www.securityweek.com/ransomware-operators-demand-14-million-power-company> | |
| Jul 2020 | A ransomware gang has infected the internal network of Telecom Argentina, one of the country's largest internet service providers, and is now asking for a $7.5 million ransom demand to unlock encrypted files. <https://www.zdnet.com/article/ransomware-gang-demands-7-5-million-from-argentinian-isp/> | |
| Jul 2020 | Administrador de Infraestructuras Ferroviarias (ADIF), a Spanish state-owned railway infrastructure manager was hit by REVil ransomware operators. <https://securityaffairs.co/wordpress/106304/cyber-crime/adif-revil-ransomware-attack.html> | |
| Aug 2020 | Brown-Forman, one of the largest U.S. companies in the spirits and wine business, suffered a cyber attack. The intruders allegedly copied 1TB of confidential data. <https://www.bleepingcomputer.com/news/security/us-spirits-and-wine-giant-hit-by-cyberattack-1tb-of-data-stolen/> | |
| Sep 2020 | REvil ransomware deposits $1 million in hacker recruitment drive <https://www.bleepingcomputer.com/news/security/revil-ransomware-deposits-1-million-in-hacker-recruitment-drive/> | |
| Oct 2020 | REvil ransomware gang claims over $100 million profit in a year <https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/> | |
| Oct 2020 | Today, the threat actors added GPI (Gaming Partners International) to their dedicated leak site. GPI describes itself as a leading provider of casino currency and table game equipment worldwide. <https://www.databreaches.net/revil-ransomware-threat-actors-reveal-their-gaming-company-victim/> | |
| Nov 2020 | Flagship Group revealed last night that its systems were compromised by a 'cyberattack' on Sunday, 1 November. <https://www.theregister.com/2020/11/06/revil_sodinokibi_ransomware_gang_flagship_group_housing/> | |
| Nov 2020 | REvil ransomware gang 'acquires' KPOT malware <https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/> | |
| Nov 2020 | Managed web hosting provider Managed.com has taken their servers and web hosting systems offline as they struggle to recover from a weekend REvil ransomware attack. <https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/> | |
| Counter operations | Jul 2020 | GandCrab ransomware operator arrested in Belarus <https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/> |
| Information | <https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/> <https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/> <https://www.secureworks.com/blog/revil-the-gandcrab-connection> <https://blog.morphisec.com/threat-profile-gandcrab-ransomware> <https://www.kpn.com/security-blogs/Tracking-REvil.htm> <https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack> | |
Last change to this card: 06 January 2021
|
Thailand Computer Emergency Response Team (ThaiCERT) Follow us on
|
Report incidents |
|
 |
+66 (0)2-123-1234 | |
 |
report@thaicert.or.th | |
 |
Download PGP key | |