Adversary: Pinchy Spider - Threat Actor | Crowdstrike Adversary Universe

Adversary

Pinchy Spider

Origins

Eastern Europe, Russian Federation

Community identifiers

GandCrab, REvil, Sodinokibi, GOLD GARDEN, GOLD SOUTHFIELD

Pinchy Spider is a criminal group behind the development and operation of the ransomware named REvil (aka Sodinokibi) that was brought into operation at the beginning of April 2019.

Pinchy Spider sells access to their ransomware under a partnership program with a limited number of accounts, often referred to as Ransomware-as-a-Service (RaaS). The criminal actor was first known as the developer of the ransomware GandCrab, which was active between January 2018 and the end of May 2019.

REvil
Samples of REvil were first identified in early April 2019, while GandCrab remained active. Analysis by CrowdStrike Intelligence identified several overlaps in code—as well as Tactics, Techniques, and Procedures (TTPs)—that confirm a link between the GandCrab and REvil operations, including RC4 string decryption, information gathering, command-and-control (C2) techniques, and file encryption. CrowdStrike Intelligence has attributed Pinchy Spider to the operation of REvil, with Pinchy Spider formed of some individuals who operated the now defunct GandCrab and new individuals from a former GandCrab affiliate network.

GandCrab
GandCrab first emerged at the end of January 2018 and it is one of the first known ransomware families to accept the DASH cryptocurrency and utilize the cryptocurrency Namecoin TLD .bit, which acts as an alternative, decentralized domain name system.

On 31 May 2019, Pinchy Spider stated in a forum post that they were retiring from operations and that the GandCrab partnership program was being closed down. The actor requested no further distribution campaigns and gave members of the partner program 28 days to monetize any remaining infections.

Technical Tradecraft

  • Use of RC4 for string decryption
  • Enumeration of keyboard layout lists for locale verification
  • Enumeration and termination of processes associated with ransomware targeted files
  • Enumeration of domain name for RU TLD to prevent encryption of Russian companies

Target Nations

  • Flag Icon of the country Argentina

    Argentina

  • Flag Icon of the country Australia

    Australia

  • Flag Icon of the country Belgium

    Belgium

  • Flag Icon of the country Brazil

    Brazil

  • Flag Icon of the country Canada

    Canada

  • Flag Icon of the country Chile

    Chile

  • Flag Icon of the country China

    China

  • Flag Icon of the country Europe

    Europe

  • Flag Icon of the country France

    France

  • Flag Icon of the country Germany

    Germany

  • Flag Icon of the country Hong Kong

    Hong Kong

  • Flag Icon of the country Indonesia

    Indonesia

  • Flag Icon of the country Italy

    Italy

  • Flag Icon of the country Jamaica

    Jamaica

  • Flag Icon of the country Japan

    Japan

  • Flag Icon of the country Luxembourg

    Luxembourg

  • Flag Icon of the country Mexico

    Mexico

  • Flag Icon of the country Norway

    Norway

  • Flag Icon of the country Singapore

    Singapore

  • Flag Icon of the country Slovenia

    Slovenia

  • Flag Icon of the country South Africa

    South Africa

  • Flag Icon of the country South Korea

    South Korea

  • Flag Icon of the country Spain

    Spain

  • Flag Icon of the country Sweden

    Sweden

  • Flag Icon of the country Switzerland

    Switzerland

  • Flag Icon of the country Trinidad And Tobago

    Trinidad And Tobago

  • Flag Icon of the country United Arab Emirates

    United Arab Emirates

  • Flag Icon of the country United Kingdom

    United Kingdom

  • Flag Icon of the country United States

    United States